Doctor Web:the beginning of the epidemic Trojan Trojan. Packed. 1198
October 28, 2008, 2:58 pm
The company Doctor Web, reported a sharp increase in e-mail traffic over the past week the number of spam messages with attached archive, which contains a malicious program aimed at defining the Anti-Dr. Web as a Trojan. Packed. 1198. The original letter which is a user has a bright header - New anjelina jolie sex scandal. The body of the letter was an invitation to open the attached file, which supposedly is a porno movie. It is noteworthy that the reception is widespread in today`s spam mailings, but the latter has become so widespread (more than 50% of all infected e-mail traffic during peak hours on this server statistics company Doctor Web) that Trojan. Packed. 1198 infected a lot of users, both in Russia and around the world. Archive, an annex to the letter contains the installer malware on a computer user - anjelina_video. exe size 44 032 bytes. In turn, it contains a file to be determined Dr. Web as a Trojan. MulDrop. 17829. The worm checks has not already been in some of the known species lzhe-antivirus (various modifications Trojan. FakeAlert). In the event of their system, Trojan. MulDrop. 17829 quits and deletes itself. If any signs lzheantivirusov can not be detected, the Trojan was adopted for the activities. At the outset, Trojan. MulDrop. 17829 decrypts located inside the file and stores it in the system directory with the name brastk. exe. Saved file is also defined as a Trojan. Packed. 1198, because it uses the packer, similar to that used in the original file. Also in the file is saved figaro. sys. When you load the driver Trojans temporarily replaces them with a driver beep. sys, thus masking the launch of its drivers from many antirutkit-utilities. In conclusion, Trojans destroys the original file and reboot your system. Trojan activity is to change the security zones Windows, disable the Windows warnings about the lack of antivirus, firewall built-off, as well as updates. It is embedded firewall also turns off. Then the trojan deletes data from a registry of Internet Explorer and sets a search engine Google, is also changing the start page at www. google.com. Eventually, the Trojan displays a message that the computer is infected and offers to download a tool of struggle. An interesting feature is that it will download malicious files before finding reports of contamination of the user. The peak of spam mails with Trojan. Packed. 1198 accounted for 20-22 October. From October 25, in virtually identical letters began distribution of malicious programs identified by Dr. Web as a Trojan. PWS. Panda. 31. The company Doctor Web, warns all users of launch investment from the letters that come from unknown addresses, and advises to be more vigilant to the proposals virus writers.