Cart
Trojan.Downloader.Gadja.C( Trojan-Downloader.Win32.Obitel.a; Trj/Agent.JEN; Win32/TrojanDownloader.Tiny.NDM; TR/Dldr.Tiny.brm )
SYMPTOMS: Presence of the file: %sysdir%/userini.exe.TECHNICAL DESCRIPTION: When executed, the malware copies original (clean) file %sysdir%/userinit.exe into %sysdir%/userini.exe.It disables System File Protection, and overwrites %sysdir%/userinit.exe with a copy of itself, in order to be executed on every system start-up. After it deletes the initially executed copy of itself, the malware drops the file: %tempdir%\ie[hex-digit].tmp, detected as: Trojan.Downloader.Gadja.D. It starts a new %sysdir%\svchost.exe process and injects its code into it in order to bypass firewalls or other security based software. It also tries to download other malware from the following URL-s, save them to %tempdir%\ie[hex-digit].tmp and execute them:
An example of a malware downloaded file would be Trojan.Peed.JOP. Removal instructions: Rename %sysdir%/userini.exe into %sysdir%/userinit.exe and let BitDefender disinfect your files.ANALYZED BY: Dan Anton, virus researcher |
