Просмотр полной версии : Trojan.Win32.Delf.aig -Trojan, which requires payment of a ransom through SMS.

05.12.2007, 00:37
The Trojan program is around 170KB in size. It's icon is visually indistinguishable from the WinRar archive icon. The Trojan is written in Delphi, and is packed.

It was discovered on the PC of a user who was seeking assistance on the KL forum (http://forum.kaspersky.com/index.php?showtopic=50043)

If the Trojan is launched, it completes the following operations:

1. Tries to delete the file WINDOWS\system32\taskmgr.exe -This is the task manager

2. Creates a copy of itself in the file WINDOWS\system32\explorer32.exe

3. Registers the copied file in autorun, a non standard autorun key is used (Winlogon\Userinit)

4. Damages the display of the <<Desktop>>, which results in the desktop and control panel visually disappearing (but nevertheless, the process explorer.exe continues to work)

5. Launches WINDOWS\system32\explorer32.exe, after which it shuts down the computer.

After this, a message will appear on screen in Russian, which gives you the option to send an SMS to a premium rate number for the unblocking of the computer, and the option to enter the code sent after payment. The Trojan process cannot be stopped by the user, as the task manager has been deleted.

Detection and deletion of the Trojan:

1. The process of the Trojan is not hidden, which is why it is enough to stop the process explorer32.exe and delete the named file, after which you must reboot the computer.

2. After rebooting the computer, you should check whether the file WINDOWS\system32\taskmgr.exe is present on the disk. If it is missing, then it needs to be restored manually from the backup, or the distributive of the system.

<<Translation by MAPKOBKA^^ from original by Oleg Zaitsev located here: http://virusinfo.info/showthread.php?t=13187>>

05.12.2007, 00:55
That looks like some smart trojan