Categories
Antivirus

Trojan: winntR1.exe, winntR2.exe, winnt2.exe, winnt3.exe, winnt4.exe, winnt5.exe, winnt.6.exe




Virus/Trojan Summary

Name: Generic.dx!zi!1958aa4e01e3 (McAfee), Trojan-Downloader.Win32.Banload [Ikarus]

Type: Trojan virus

 

Virus/Trojan Summary

Name: Generic.dx!zi!1958aa4e01e3 (McAfee), Trojan-Downloader.Win32.Banload [Ikarus]

Type: Trojan virus

 

Infection Method: Email

User received email from his friend or colleague with various subject (e.g. Fotos Data: 17/06) with then content similar to below:

Imagens anexadas: DSC_252.jpg DSC_326.jpg DSC_417.jpg

User clicked and open the Hyperlink because they thought it just a photo from his/her friend.

Note: Please do not click on the jpg link above because it lead you to the actual trojan location

User just ignore the warning prompt:

2009-07-17_150349.jpg

User clicked on “Run”

Windows shown below with “Arquivo Corrompido!” mean you are infected by trojan.


Background Process after Infection:

You would notice the processes below in task manager:

  • winntR1.exe
  • winntR2.exe
  • winnt2.exe
  • winnt3.exe
  • winnt4.exe
  • winnt5.exe
  • winnt.6.exe

Network Activity after Infection:

The infected system will try spread out by sending smtp and http mail as shown below:

200.226.249.3:80

201.76.62.3:25

According to the user experience, the Trojan/Virus will try to spead out by sending email using user’s hotmail account with the contact list in user’s hotmail.

Registry Modification

The following Registry Key was created:

    • HKEY_CURRENT_USER\dark
  • The newly created Registry Value in either location below is:
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      • winntR1 = “C:\winnt_\winntR1.exe”
      • winntR2 = “C:\winnt_\winntR2.exe”
      • winnt2 = “C:\winnt_\winnt2.exe”
      • winnt3 = “C:\winnt_\winnt3.exe”
      • winnt4 = “C:\winnt_\winnt4.exe”
      • winnt5 = “C:\winnt_\winnt5.exe”
      • winnt6 = “C:\winnt_\winnt6.exe”

File System Modifications:

The following directory was created:

c:\winnt_

Removal Method:

Note: The trojan might affected to the particular user only

  1. Login as the user name that infected by the Trojan
  2. Kill (End Task) all the process start with winnt*.exe in task manager
  3. Empty Internet Temporary files.
  4. Delete all the winnt* entries in the registry key below: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  5. Delete HKEY_CURRENT_USER\dark in the registry
  6. Restart the computer
  7. Login in as administrator
  8. Delete “c:\winnt_” folder
  9. Download and run the removal tool from http://normanasa.vo.llnwd.net/o29/public/Norman_Malware_Cleaner.exe (This tools only able to remove certain infected files only. That’s the reason we have to do some manual clean up before running this tool.)

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by Brain-Cluster.com.
Please contact us should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.