Создает файлы desktop.ini и NFO в корне каждого диска.Также появляются директории Recyled и Recycler(встроеная корзина)
This trojan masquerades as ctfmon.exe and copies itself in a fake Recycle Bin folder that it creates. It also tries to configure the system to execute the trojan when a remote machine tries to access a drive on infected machine via network share.
- TROJ_VB.BDN (Panda Antivirus)
- Trojan.Recycle (Doctor Web)
- Trojan.Win32.VB.aqt (Kaspersky)
This trojan purports to be a legitimate file ctfmon.exe by its name and icon. It copies itself in a fake Recycle Bin folder that it creates. It also tries to configure the system to execute the trojan when a remote machine tries to access a drive on infected machine via network share.
On execution this malware adds the following files and folders on each drive
Where %Drive% represents the Drive Letters.
The contents of desktop.ini file are:
This causes windows to think that this folder contains recycle bin data. Desktop.ini is created as a hidden system file.
The contents of the autorun.inf file are:
Now if the folder in which this autorun.inf resides is shared and set for autoplay, then any remote computer accessing this share will end up executing the trojan file and getting infected too in a similar manner. This autorun.inf file also overrides the "open" command of the context menu (displayed on right click) to run the trojan when a user right-clicks and selects open.
Method of Infection
- Presence of files and folders as described
- Presence of autorun.inf at the root of all drives with contents as discussed
Method of Infection -
Так его называет McAfee 27/9/2006