|
Details:
This Trojan may be dropped by other malware.
Upon execution, this Trojan creates the following folder:
(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT. )
It drops the following copies of itself:
- %Windows%\Fonts\a.zip
- %Windows%\Fonts\Setup.exe
- %Windows%\Fonts\svchost.exe
It also drops the following non-malicious file:
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003. )
This Trojan creates the following registry entry to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
Host Process = "%Windows%\Fonts\svchost.exe"
This Trojan accesses URLs to download files:
- http://{BLOCKED}ay-warez.com/ddl-{number}.html
- http://{BLOCKED}reznova.com/index{number}.htm
- http://{BLOCKED}lspot.com/index-{number}.html
- http://{BLOCKED}l2.com/index_page-{number}.html
- http://{BLOCKED}tz.cd/pg/{number}
The said files are related to download sites and are non-malicious. This Trojan runs on Windows 98, ME, NT, 2000, XP, and Server 2003. Analysis By: Jessa De La Torre Revision History:
For additional information about this threat, see:
Overview
Solution
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
