Risk Assessment - Home Users: Low
- Corporate Users: Low
Date Discovered: 10/28/2008
Date Added: 10/28/2008
Origin: Unknown
Length: N/A
Type: Trojan
SubType: Remote Access
DAT Required: 5417
Removal Instructions
Use the latest Engine/Dats
This Trojan downloads another program via the Internet and launches it on the victim machine without the user’s knowledge or consent. It is a Windows PE EXE file. It is 38400 bytes in size. It is written in C++.
Installation
Once launched, the Trojan copies its body to the Windows system directory as "Ir32_a.exe":
%System%\Ir32_a.exe
It then deletes its original file.
In order to ensure that the Trojan is launched automatically each time the system is restarted, the Trojan registers its executable file in the system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit" = "C:\WINDOWS\system32\userinit.exe,Ir32_a.exe"
The Trojan sends a request to the remote malicious user's site:
http://www.yukor.blog55.....
It receives in reply a file containing links from which other objects will be downloaded. The file will be saved to the C: root directory: as "tmp.dat":
C:\tmp.dat
Files which are downloaded from the links contained in the file are saved to the Temporary Internet Files directory under their original names. Once they have been downloaded they are launched for execution.
At the moment of writing, the link was not active.
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Delete the copy of the Trojan:
%System%\Ir32_a.exe
- Delete the contents of %Temporary Internet Files%.
- Revert the following system registrykey:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit" = "C:\WINDOWS\system32\userinit.exe,Ir32_a.exe"
to
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit" = "C:\WINDOWS\system32\userinit.exe"
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus