Trojan-Downloader.Win32.Diehard.di
From Total Malware Info
This Trojan downloads other files via the Internet and launches them for execution on the victim machine without the user’s knowledge or consent. It is Windows PE-EXE-file. Original file is 27648 bytes in size.
Installation
The launched Trojan creates driver file in %System%\drivers:
- runtime.sys
This file 171948 bytes in size and may be detected by Kaspersky Antivirus as Trojan-PSW.Win32.Osmer.f. The Trojan installs the runtime service, that will be launched each time Windows is rebooted on the victim machine.
[HKLM\System\CurrentControlSet\Services\runtime] "ImagePath"="%System%\drivers\runtime.sys" "Type"="dword:0x00000001" "Start"="dword:0x00000003"
Payload
Once launched the Trojan opens Internet Explorer and registers his code into address space. After that it downloads the file by the following link:
- http://207.218.237.82/40e800142020202057202d444d574d414b393344313731316c0000003c66000000007600000002
The archive 91656 bytes in size and consists of the following files:
- 0.bin
This file 32256 bytes in size and may be detected by Kaspersky Antivirus as Trojan-Dropper.Win32.Agent.dyc.
- 1.bin
This file 25472 bytes in size and may be detected by Kaspersky Antivirus as Trojan-Dropper.Win32.Agent.ici.
- 2.bin
This file 59392 bytes in size and may be detected by Kaspersky Antivirus as Email-Worm.Win32.Agent.cg. After that the Trojan copies these files to Startup and deletes the original file. It also creates the file with the following name:
- %System%\[0-9]_exception.nls
The Trojan creates unique ID to determine itself:
- y8w.61T_i0b_Q3f.l4R7
The malware is designed for creating bot networks for sending spam.
Removal Instructions
- Using Task Manager terminate all of the Internet Explorer processes.
- Stop the Runtime service. Type in the comand line:
- sc stop runtime
- Delete the following files:
- %System%\drivers\runtime.sys
- Update your antivirus databases and perform a full scan of the computer.
