Virus Characteristics Upon execution, this trojan installs itself as a system service to launch everytime the computer boots.
HKEY_LOCAL_MACHINE\System\ControlSet\Services\DomainService "ImagePath" Data: Path to the malware executable file /service Adds itself to the built-in firewall's list of trusted applications.
HKEY_LOCAL_MACHINE\System\ControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile \AuthorizedApplications\List
"Path to the malware executable file"It also creates the following
registry entries as part of its installation routine.
Disables "Windows File Protection" by modifying the following key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon "SFCDisable"Data: 04This trojan creates
files with random file names in the %Windows%/Temp folder.
This trojan injects multplie threads into other system processes, to re-launch itself if the trojan process is killed.
Static
analysis of this file reveals that it may attempt to download a file
named "aupddc.exe" into the %Temp% folder, but at the time of writing
this description the file was not downloaded.
Indications of Infection Presence of the registry keys mentioned. Presence of a process running as a System service with description as "DDC"
Method of Infection
Trojans
do not self-replicate. They often arrive as a desirable or intriguing
file and conceal their true nature. Common ways to receive a trojan are
through newsgroup postings, IRC, peer-to-peer networks, spam, etc.
Removal Instructions
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
