Trojan.Spy.Agent.NKG
Presence of the following files:
%windir%\system32\BttnServ.exe
Presence of %windir%\svchost.exe as an active process
On removable storages:
Presence of the following files:
\NewFolder.exe with a folder icon
Kill the process %windir%\svchost.exe
Delete the file %windir%\system32\BttnServ.exe and any files that the virus created on your removable media
Remove the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CPQEASYBTTN
Please let BitDefender disinfect your files.
This trojan is received as a 98304 Byte-file, written in Visual Basic, having a Folder icon, in order to get the user to execute it.
Upon execution this worm file will copy itself as the following files:
%windir%\svchost.exe
%windir%\system32\BttnServ.exe
The files are hidden
Next, the trojan will execute the file %windir%\svchost.exe and also set the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\(Default) to %windir%\svchost.exe
The received file will close it's process.
Upon running, %windir%\svchost.exe will remain active in memory, and will delete itself from the hard disk
The trojan has an invisible window so will run in the background.
It ensures that it will be ran after the next reboot by setting the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CPQEASYBTTN to %windir%\system32\BttnServ.exe
While running, the trojan will read any text box from any Internet Explorer window and store the contents of them. The read process is repeated everey 500 ms. The trojan will send the read informations using MAPI (an architecture for messaging applications)
The messages are sent to http://mail.madcoffee.com/index.php with the user OperationDefecha@yahoo.com
SHARE
THIS ON