It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Thank you.
Some features of ATS will be disabled while you continue to use an ad-blocker.
Technical details
This Trojan downloads other programs via the Internet and launches them on the victim machine without the user’s
knowledge or consent. The Trojan is a Java Script script which is built in to HTML pages.
It is 17,002 bytes in size.
Payload
Once launched, the Trojan injects its code into the memory of processes which have the following unique identifiers
in the system registry:
[BD96C556-65A3-11D0-983A-00C04FC29E30]
[BD96C556-65A3-11D0-983A-00C04FC29E36]
[AB9BCEDD-EC7E-47E1-9322-D4A210617116]
[0006F033-0000-0000-C000-000000000046]
[0006F03A-0000-0000-C000-000000000046]
[6e32070a-766d-4ee6-879c-dc1fa91d2fc3]
[6414512B-B978-451D-A0D8-FCFDF33E833C]
[7F5B7F63-F06F-4331-8A26-339E03C0AE3D]
[06723E09-F4C2-43c8-8358-09FCD1DB0766]
[639F725F-1B2D-4831-A9FD-874847682010]
[BA018599-1DB3-44f9-83B4-461454C84BF8]
[D0C07D56-7C69-43F1-B4A0-25F5A11FAB19]
[E8CCCDDF-CA28-496b-B050-6C07C962476B]
The Trojan then attempts to connect to the Internet and download a file called "file.php" from the following
address:
my...***l.com/file.pho
(At the time of writing, this link was not working.)
This file will be saved to the C: \ root directory as "sys%rnd%.exe (%rnd% is a random four digit number):
c:\sys%rnd%.exe
The downloaded file is then launched for execution.
Removal instructions
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the
instructions below to delete the malicious program:
Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
Delete the following file:
c:\sys%rnd%.exe
Update your antivirus databases and perform a full scan of the computer