Trojan.Downloader.Firu.G
MEDIUM
MEDIUM
29,760
(Trojan-Downloader.Win32.Firu.dw
Trojan:Win32/Bohmini.A
W32/Firu.DW!tr.dldr)
Symptoms
the presence in %windir%\system32 of an executable with a random eight character name;
the presence of 24 scheduled tasks named At1 to At24, each set to run the executable mentioned above, at a fixed hour
Removal instructions:
Delete the scheduled tasks and the file in %windir%\system32 created by the malware.
Analyzed By
Deac Razvan-Ioan, virus researcher
Technical Description:
When the file is first executed, it creates a copy of itself in %windier%\system32 with a random name. This copy is scheduled to run at each fixed hour via "Scheduled Tasks". The original file is then deleted.
In order to hide itself, it injects its code in running processes and then kills its own process.
The malware is used to download other malicious files from the internet. It also disables certain security software, if encountered.
SHARE
THIS ON