Cart
Trojan.Fotomoto.F( Trojan.Win32.Obfuscated.kp, Trojan.EzulaAd )
SYMPTOMS: Presence of a key named "DomainService" in "HKLM\Sytem\CurentControlSet\Services".Appearance of a process with rights as a system service with the description "DDC". TECHNICAL DESCRIPTION: Trojan.Fotomoto.F is an trojan with adware functionality. When installed this version performs the following actions:a) It connects to an internet server and reports some basic informations about the infected computer. b) It modifies the following registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = 4 This will stop the Windows File Protection from giving notification on replacement of system files or building a log for events. c) If modifies the following registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DomainService HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DomainService where register itself as a service. d) It creates a process that runs as a service which creates an event that in case its process is closed it restarts itself thus changing it’s process ID. Removal instructions: Please let BitDefender disinfect your files.ANALYZED BY: Sorin Ciorceri, virus researcher |
