Trojan.Fotomoto.F
HIGH
VERY LOW
~71KB
(Trojan.Win32.Obfuscated.kp, Trojan.EzulaAd)
Symptoms
Presence of a key named "DomainService" in "HKLM\Sytem\CurentControlSet\Services".
Appearance of a process with rights as a system service with the description "DDC".
Removal instructions:
Please let BitDefender disinfect your files.
Analyzed By
Sorin Ciorceri, virus researcher
Technical Description:
Trojan.Fotomoto.F is an trojan with adware functionality. When installed this version performs the following actions:
a) It connects to an internet server and reports some basic informations about the infected computer.
b) It modifies the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = 4
This will stop the Windows File Protection from giving notification on replacement of system files or building a log for events.
c) If modifies the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DomainService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DomainService where register itself as a service.
d) It creates a process that runs as a service which creates an event that in case its process is closed it restarts itself thus changing it’s process ID.
SHARE
THIS ON