|
| |||||||||||||||||||||||||||||||||||||
| Upon execution, this memory-resident Trojan opens the Notepad application, possibly to hide its malicious routines from unsuspecting users. In the background, however, it drops copies of itself as WINSHOST.EXE in the Windows system folder and as CJECTOR.EXE in the Windows folder. It also drops its dynamic link library (DLL) component using the file name WIWSHOST.EXE. The dropped DLL carries this Trojan's malicious routines. This Trojan modifies a system's HOSTS file to contain only the following entry: 127.0.0.1 localhost By default, most systems only have this line in their HOSTS file, so this routine does not really pose any adverse effects on the system. However, this may overwrite the HOSTS file of users who customize it for filtering purposes. This Trojan disables antivirus applications by deleting specific keys from the system registry. It also modifies the registry to disable the Windows automatic updates, the Windows XP SP2 Firewall, and the system's administrative alerts. Furthermore, it stops services, terminates processes, and renames several files that are mostly related to security, antivirus, and firewall applications. These routines may make it difficult for affected users to detect and remove this Trojan from the system. This may also pose as an additional threat to the affected system by making it vulnerable to further attacks from other malware programs. Notably, this Trojan specifically disables Trend Micro antivirus by modifying a certain registry entry. This Trojan downloads a file from a list of URLs. The downloaded file is saved as _RE_FILE.EXE. As of this writing, the said URLs are inaccessible.
For additional information about this threat, see: Solution Technical Details Statistics source: trendmicro.com | ||||||||||||||||||||||||||||||||||||||
Saturday, September 10, 2005
TROJ_BAGLE.CR
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment