[Description]
This trojan copies itself in the system directory with the name kernels88.exe
It bypass the builtin Windows Firewall in order to allow the malware to connect to the internet
in order to download some files in the windows system folder and to execute them.
The name of some of the files starts with: dlh9jkd1q%number%.exe
Other files have the name %number%.dllb
Also there is a file called: vx.tll
All of them can be found in the Windows System folder (eq: C:\Windows\System32\vx.tll)
It steal some information regarding the computer where the malware is present.
Those information are: version of the operating system, build, platform, processor type, etc...
Also it set registry keys in SOFTWARE\Microsoft\Windows\CurrentVersion\Run and SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices in order to run at startup.
It tries to create a semaphore called outpost.exe and at the end it will disable the Task Manager
[Clean]
In order to clean the computer, please restart it in Safe Mode and delete the following files:
C:\windows\system32\kernels88.exe
C:\Windows\System32\dlh9jkd1q1.exe
C:\Windows\System32\dlh9jkd1q2.exe
C:\Windows\System32\dlh9jkd1q5.exe
C:\Windows\System32\dlh9jkd1q6.exe
C:\Windows\System32\dlh9jkd1q7.exe
C:\Windows\System32\dlh9jkd1q8.exe
C:\Windows\System32\1.dllb
C:\Windows\System32\2.dllb
C:\Windows\System32\3.dllb
C:\Windows\System32\4.dllb
C:\Windows\System32\5.dllb
C:\Windows\System32\6.dllb
C:\Windows\System32\7.dllb
C:\Windows\System32\vx.tll
Delete the registry keys:
SOFTWARE\Microsoft\Windows\CurrentVersion\Run - System
SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices - SystemTools
Go to Start, Run, type: netsh firewall reset and press OK
To enable Task Manager click on Start, Run, type:
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
Then click OK
No comments:
Post a Comment