Did You connected with zall?

Since the ?Award Winning? Kaspersky Anti-Virus 2009 program was released not too long ago, I figured it is time to give it a try and fork up the $40 bucks. I of course used my second PC which runs Windows XP before I wanted to install it on my primary PC running Windows Vista Ultimate.

Like the previous years versions of Kaspersky Anti-Virus, this version was very good at finding and removing threats. I won?t go into what sites I would visit in order to make sure I infected the Windows XP computer nice, but we can say they were not all G rated. And of course I wrote all the sites down and kept a log of it. Read the rest of this entry »

This Trojan downloads other files via the Internet and launches them for execution on the victim machine without the user?s knowledge or consent. It is a Windows PE EXE file. It is 113152 bytes in size. It is not packed in any way. This Trojan is written in Visual Basic.
Installation

Once launched, the Trojan copies its body to the Windows program files directory as “lsass.exe“:
%Program Files%\Microsoft Studio Files\lsass.exe

In order to ensure that the Trojan is launched automatically each time the system is rebooted, the Trojan registers its executable file in the system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
“lsass” = “%Program Files%\Microsoft Studio Files\lsass.exe”

The Trojan then creates a command interpreter file called “vcdg.bat” in the same directory:
%Program Files%\Microsoft Studio Files\vcdg.bat

It writes the following strings to this file:
netsh.exe firewall add allowedprogram PROGRAM=”%Program Files%\Microsoft Studio
Files\lsass.exe” NAME=”Session Win32″ MODE=ENABLE PROFILE=ALL

In doing so, the Trojan modifies the configuration of the Windows XP firewall, permitting any network activity created by the malicious process.

“%Program Files%\Microsoft Studio Files\vcdg.bat” is then launched for execution.

Payload Once installed, the Trojan downloads files from the following URLs:
http://www.club-vw.cl/*****/modules/subsmanager/api_apache.tar http://www.*****-consult.net/rcss.res http://www.photo-*****.ru/images/exhibition_moll2005_file0031.jpg

At the time of writing, these links were not active.

http://www.cemm*****ac.at/img/nav/plus19a_RO.jpg

This file is 2603325 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan-Spy.Win32.Banbra.bak.

Files which are downloaded are saved to the Trojan’s installation directory under random names and launched for execution.
How to clean If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Use Task Manager to terminate the Trojan process.
2. Delete the following system registry key parameter:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] “lsass” = “%Program Files%\Microsoft Studio Files\lsass.exe”
3. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
4. Delete the following directory and its contents:
%Program Files%\Microsoft Studio Files
5. Delete all files from %Temporary Internet Files%.
6. Update your antivirus databases and perform a full scan of the computer