This is a complex malware that performs the following actions upon execution:- creates a copy of itself in “%windir%\System32\spool\PRTPROCS\W32X86\” directory under the name “[random-number].tmp” and modifies the headers of the copy by setting the attributes related to a dll;
- creates a driver file in “%windir%\Temp\" directory under the name “[random-number].tmp”
- creates a copy of itself in “%Temp%” directory under the name “[random-number].tmp”
- Injects code in “spoolsv.exe” process in order to run with higher privileges, code which will load the dropped driver.
- The injected code will also communicate with different servers as: https://h4356***.cn, https://h9237***.cn, https://212.117.174.***, making the computer part of a botnet network and from now on it can download files, execute them and do many other malware related actions.
SYMPTOMS:
Browser redirection and increased network activity.
Spreading: medium
Damage: high
Size: variable
Discovered: 2009 Nov 26
Download BitDefender for disinfect your files.
No comments:
Post a Comment