[Description]
This trojan is designed to spread by creating copies in the removable drives.
When it is run, it check if there is a folder called Recycled in the root of the drive.
If the folder doesn't exists it will create it.
It will create a file called info2 and one called desktop.ini in the Recycled folder.
The desktop.ini file has the following contents:
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
In will create a subfolder with the name Recycled where it will put an own copy
with the name ctfmon.exe
It creates the file autorun.inf in the root drive with the following contents:
[autorun]
shellexecute=Recycled\Recycled\ctfmon.exe
shell\Open(&O)\command=Recycled\Recycled\ctfmon.exe
shell=Open(&0)
It reads the value of the registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders\Startup
which represents the path of the Startup folder of the current user.
It will copy there the ctfmon.exe file
[Clean]
Open Task Manager and terminate the ctfmon.exe process
Delete the ctfmon.exe file from the Startup folder
Delete the files:
(this should be done also for infected removable drives)
autorun.inf Recycled\destop.ini Recycled\info2 Recycled\Recycled\ctfmon.exe
No comments:
Post a Comment