Thirtyseven4 Antivirus | AntiMalware | AntiRootkit | AntiSpyware
Thirtyseven4 Antivirus | AntiMalware | AntiRootkit | AntiSpyware
Thirtyseven4 Antivirus | AntiMalware | AntiRootkit | AntiSpyware

TROJAN.KERNELPATCH.A

 

 

Name:

Trojan.Kernelpatch.a

Added:

November 17, 2011

Type:

Trojan

Risk:

Low

Payload:

N/A

At risk systems:

Windows 95/98/ME/XP/NT/2003

 

 

Malware problems?   We can help.  Free Removal Tools.

 

 

Description:

 

When Trojan.Kernelpatch.a is executed, it performs the following activities:

After execution, it drops the following files:

%Appdata%\Documents\ebg32.tmp
%Appdata%\Documents\ebg33.tmp
%Program Files%\Common Files\PushWare\cpush.dll
%Program Files%\Common Files\PushWare\Uninst.exe
%Program Files%\Common Files\realteck\heoifz.pif
%Program Files%\Common Files\sfbsbvx\coiome.exe
%Windir%\Fonts\ol.ini
%Windir%\system\pp_005.dat
%Windir%\Tasks\NWF5.vbe
%Windir%\Tasks\NWFu.exe
%Windir%\Temp\oak.ini
%System%\360uaix.exe
%System%\4483250.DLI

It modifies/creates the following registry entries:

safe360 = "%Program Files%\Common Files\sfbsbvx\coiome.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

InprocServer32 = "%Program Files%\Common Files\PushWare\cpush.dll"
HKLM\Software\Classes\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}

InProcServer32\: "%System%\4483250.DLI"
HKLM\Software\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}

It connect's to the domain listed below and download's the file:

http://doq.XXX.pl/d/t.exe
 

 

 

 

 

 

 

 
Thirtyseven4 Antivirus | AntiMalware | AntiRootkit | AntiSpyware
Thirtyseven4 Antivirus | AntiMalware | AntiRootkit | AntiSpyware
Thirtyseven4 Antivirus | AntiMalware | AntiRootkit | AntiSpyware

“Delight yourself in the Lord and he will give you the desires of your heart.” Psalm 37:4