Cart
Trojan.Dropper.Cutwail.H( Trojan.Downloader.Mutant Trojan.Downloader.Wigon Trojan.Pandex )
SYMPTOMS: -Presense of the file %SYSDIR%\WinCtrl32.dll, with the size of 15kbytes-Presense of the registry key [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Winctrl32] -Presence of any of the following files: %SYSDIR%\WinNt32.dll %SYSDIR%\WinNt32.hui %SYSDIR%\WinNt32.dl_ %SYSDIR%\WinNt32.hui_ -increased internet activity. TECHNICAL DESCRIPTION: Wnen executed, the trojan creates the file %SYSDIR%\WinCtrl32.dll and creates the following registry keys:[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Winctrl32] DllName=WinCtrl32.dll StartShell=WLEventStartShell , in order to be executed at startup. Also, the trojan drops a driver with the name %SYSDIR%\drivers\Winccdd.sys, where c is a random character and d is a random digit. The trojan injects code into svchost.exe process. The injected code connects to the following IP address : 75.126.208.82, and downloads another component, used for spamming. Removal instructions: Please let BitDefender disinfect your files.ANALYZED BY: Petrea Ruslan, virus researcher |
