| Malware name | Trojan.Renamer.L | | Type | Trojan | | Affected platform | Win32 | | Media-Type | application/executable | | MD5 checksum | D7DB33BFB9B4A28676F8DF50A5AFCB0E | | Static file | yes | | Filesize | 303,104 Bytes | Alias names
(also known as) | | Sophos | W32/SillyFDC-D | | McAfee | W32/Generic!worm | | CA ETrust | Win32/Tcaorb.B |
| | Protection | | Webwasher Anti Malware | 6036.145.x |
| | Side effects | - Disable security applications
- Registry modification
| | Propagation | Mapped network drives |
|
Description:
Files
It copies itself to the following locations:
• %SYSDIR%\ .exe
• %SYSDIR%\
%computer name%\svchost.exe
It creates the following directory:
• %SYSDIR%\
%computer name%\
Registry
The following registry keys are added in order to run the processes after reboot:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• sInErA="%SYSDIR%\ .exe"
• svchost="%SYSDIR%\
%computer name%\svchost.exe"
The following registry key is changed:
– [HKLM\SYSTEM\ControlSet001\Control\ComputerName\ComputerName]
New value:
• ComputerName="
%current username%"
Miscellaneous
String: Furthermore it contains the following string:
• No One Can't Stop Me.. My Mine Is Search My Ex Gurl.. Leave Me HerE 2 FiNd My ExGurlfriend N SoRy If I MaKe A MiSTaKe
File details
Programming language:
The malware program was written in Visual Basic.
