Discovered: April 19, 2009
Updated: April 20, 2009 1:02:22 AM
Type: Trojan
Infection Length: 33,792 bytes
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
When executed, the Trojan copies itself as the following files:- %System%\reader_s.exe
- %UserProfile%\reader_s.exe
It then creates the following registry entries so that it runs every time Windows starts:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Reader_s" = "%System%\reader_s.exe"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Reader_s" = "%UserProfile%\reader_s.exe"
The Trojan then modifies the following file:
%System%\drivers\ndis.sys
The Trojan then searches the compromised computer for information that may be relayed to a remote attacker.
It may also download files, including updates to itself.
No comments:
Post a Comment