[Description]
When it's executed, the malware will create a file named rdihost.dll in %Windir%\System32 folder and it will inject it in explorer.exe and a mutex will be created with the name: "suckmydick:pomgfuckingstupidgay!!!"
It will create an own copy as an archive in %windir% folder, named "photo album.zip"
Then it will connect to an IRC channel on www.fre[blocked]e8.biz and will wait for commands from a malicious attacker. The connection string is "lol lol lol :shadowbot2"
Based on those commands the Security Center and SharedAccess services can be stopped. Also it can download and execute files or it can attack other computers.
The attack is DDOS (Distributed Denial of Service) type and it is triggerd when a command is sent to the compromised system. On the Internet, a distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users.
[Clean]
In order to clean the computer, please restart it in Safe Mode and delete the following files:
%Windir%\photoalbum.zip
%Windir%\system32\rdihost.dll Removal Tool available here
No comments:
Post a Comment