Description |
Once launched, the Trojan performs the following actions:
- It attempts to connect to the following HTTP servers:
87.***.14
69.***.224
- It creates the directory:
%System%<rnd>
where <rnd> is a random five-digit decimal number.
- It extracts a file from its body and saves it in the system as:
%System%<rnd>svchost.exe
(525 312 bytes; detected by Kaspersky Anti-Virus as “not-a-virus:Monitor.Win32.Ardamax.ae”)
- It launches the extracted file for execution.
- It modifies the values of the following system registry keys:
[HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer]
"NofolderOptions" = 0
[HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem]
"DisableTaskMgr" = 0
[HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem]
"DisableRegistryTools" = 1
The modification of the last key disables the registry editor.
- It creates the file:
%System%setup.ini (96 bytes)
with the following content:
[Autorun]
Open=regsvr.exe
Shellexecute=regsvr.exe
ShellOpencommand=regsvr.exe
Shell=Open
- It launches the system command interpreter “cmd.exe” with the following parameters:
/C AT /delete /yes
This cancels all scheduled tasks in Windows Task Scheduler.
/C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su %System%svchost.exe
Every day at 9:00, Windows Task Scheduler will launch a copy of the Trojan.
|