My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.Downloader.Firu.E

LOW
MEDIUM
29248
(Trojan-Downloader.Win32.Firu.dx, Trojan:Win32/Bohmini.A, TROJ_FIRU.Q)

Symptoms

Executables with random names composed out of 8 characters (letters and numbers) in the system32 directory of size 29248. Examples:

C:\WINDOWS\system32\68S3ynp7.exe
C:\WINDOWS\system32\2B0E7jhj.exe

(These are just examples, the actual file names are generated randomly)

The presence of 24 jobs named At1 - At24 in the task scheduler pointing to such an executable (if there were already tasks named "At...", the numbering will start at the first free number).

Removal instructions:

Boot in safe mode and scan your computer with BitDefender. Let BitDefender delete the infected files. Remove the created tasks from the Task Scheduler.

Analyzed By

Attila-Mihaly Balazs, virus researcher

Technical Description:

Upon execution this malware (if it didn't do so already) copies itself to the system32 directory (typically C:\Windows\System32) with a random name consisting of 8 letters and numbers (for example 68S3ynp7.exe or 2B0E7jhj.exe).

The executable created above is scheduled for execution via the "Scheduled Tasks" feature. It creates 24 distinct entires, each scheduled to start every day at a fixed hour (at 00, at 01, 02 and so on until 23). If the Task Scheduler service is stopped, the malware starts it and sets it to auto-start upon reboot.

When executed from the system32 directory, it deletes the file passed to it through the command line (this feature is used to delete the original file once it has copied itself to the system32 directory and started the copy). Upon execution from the system32 directory, the malware injects itself in every running process (because of this, the cleaning must be done from Safe mode).

The malware transmits to a central server informations about the infected sysmtes (the version and product key of the operating systems, the serial number of the hard disk and so on).