(Trojan-Downloader.Win32.Obitel.a; Trj/Agent.JEN; Win32/TrojanDownloader.Tiny.NDM; TR/Dldr.Tiny.brm)
Symptoms
Presence of the file: %sysdir%/userini.exe.
Removal instructions:
Rename %sysdir%/userini.exe into %sysdir%/userinit.exe and let BitDefender disinfect your files.
Analyzed By
Dan Anton, virus researcher
Technical Description:
When executed, the malware copies original (clean) file
%sysdir%/userinit.exe into
%sysdir%/userini.exe.
It disables System File Protection, and overwrites
%sysdir%/userinit.exe with a copy of itself, in order to be executed on every system start-up.
After it deletes the initially executed copy of itself, the malware drops the file:
%tempdir%\ie[hex-digit].tmp, detected as:
Trojan.Downloader.Gadja.D.
It starts a new
%sysdir%\svchost.exe process and injects its code into it in order to bypass firewalls or other security based software.
It also tries to download other malware from the following URL-s, save them to
%tempdir%\ie[hex-digit].tmp and execute them:
- http://fixaserver.ru/[hide]/gate.php?[8-digit-hex-number]
- http://djaga-djaga.cn/[hide]/gate.php?[8-digit-hex-number]
An example of a malware downloaded file would be
Trojan.Peed.JOP.
SHARE
THIS ON