|
Details:
Upon execution, this file infector drops the following files in the Windows Temporary folder:
- FINALDOOM.DLL - detected by Trend Micro as TROJ_FINALDO.B, which this file infector uses in its initial file dropping routine and deletes afterwards
- FINALDOOM.EML - a MIME email that contains the embedded file .EXE
It searches for Windows executable files with .EXE, .SCR, and .OCX file extensions on local drives and appends itself at the end of a host file by expanding the last section. Infection for each file varies, since it employs polymorphism by inserting random garbage in between codes.
When an infected machine is first restarted, infected files that run during startup tend to produce errors because these files reference the deleted Trojan. Before these files exit, they drop a copy of the Trojan in the Windows Temporary folder. Upon next restart, these files no longer encounter errors since the said Trojan is already present.
This file infector is capable of infecting other machines connected in a local area network. It infects all executable files in shared folders with write permissions. It also infects .HTML, .HTM, and .ASP files by appending JavaScript codes that open the infected FINALDOOM.EML. Trend Micro detects these infected files as JS_FINALDO.B.
It contains the following text strings in its body:
"Coded by Finaldoom"
This file infector runs on Windows 98, ME, NT, 2000, and XP.
Revision History:
For additional information about this threat, see:
Overview
Solution
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
