Backdoor.Win32.Acidsena
From Total Malware Info
It is a Backdoor used to control the victim machine remotely. Program is a PE exe file compiled with MS Visual Basic. File has a size 118 784 bytes and is not packed.
Installation
Once executed, the malware copies itself under %system% folder with a name Rundll32.exe which is a commonly used windows executable. After the installation the malware registers file in the system registry to ensure that this file will be launched each time Windows is rebooted on the victim machine:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "Emxuldn"="%System%\Rundll32.exe" [HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices] "Aht"="%System%\Rundll32.exe"
Payload
After the installation Trojan lets remote machine get information from victim by:
- Taking screenshots
- Keylogging
- Stealing passwords
Removal instructions
- Using Task Manager terminate the Trojan process Rundll32.exe.
- Delete the following registry keys:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "Emxuldn"="%System%\Rundll32.exe" [HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices] "Aht"="%System%\Rundll32.exe"</li>
- Restore the executable file:
"%System%\Rundll32.exe"
- Run Windows system file checker tool to restore original rundll32.exe.
