This Trojan downloads other files via the Internet and launches them for execution on the victim machine. The program is an HTML page which contains Java Script scenarios. It is 1432 bytes in size.
| Payload |
The Trojan downloads a file from the URL shown below by exploiting a vulnerability (CVE-2006-1359) in the processing of "createTextRange" in Microsoft Internet Explorer:
http://195.62.***.21/a.exe
The Trojan saves this file to its working directory as shown below:
%WorkDir%\a.exe
The downloaded file will then be launched for execution.
At the time of writing, the link was not active.
| Removal instructions |
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Use Task Manager to terminate the process shown below:
a.exe
- Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
- Delete the following file:
%WorkDir%\a.exe
- Delete all files from %Temporary Internet Files%.
- Install the latest patches for Microsoft Internet Explorer.
- Update your antivirus databases and perform a full scan of the computer.
Leave a comment