Trojan.Win32.Diamin.fc

From Total Malware Info

Trojan program which carries out destructive actions on a computer.It is a Windows PE EXE file. It's size is 18688 bytes. It is packed with PE-Pack. The unpacked file is approximately – 24 KB in size. It is written in Delphi.

Installation

Once launched, the trojan copies itself to the Windows root directory as "Adulti.exe":

%WinDir%\Adulti.exe

It then registers this file in the system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"NETVISIONAdulti" = "%WinDir%\Adulti.exe -A"

This insures that the trojan will be launched each time Windows is booted on the victim machine.

It then creates the following link on the "Desktop":

C:\Documents and Settings\<User>\Desktop\Adulti.lnk

It then also creates the following link in the "Start Menu":

C:\Documents and Settings\<User>\Start Menu\Programs\NETVISION\Adulti.lnk
C:\Documents and Settings\<User>\Start Menu\Programs\NETVISION\Adulti Disinstalla.lnk

They looks so:

This link refers to the trojan copy:

%WinDir%\Adulti.exe

Payload

This trojan deletes the following keys in the system registry (if they exist):

[HKCU\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates]
<default> = "818A7C58AE28D205F2936236BA750CF3B2D395DEECD3A1366
300C58DE20E8CE6E452DB9942234C79"
[HKCU\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust   Database]
"0" = "dkfibjjcnlplceoibcppeenjdjafgeiaahefiigcoapjkknlpfcfcdkpohbgoicfboogidikkejccm
clpieicihhlpocelefpflkgegjmgncocmbgnfpbpmikdl"

This trojan collects information on some environment variables and active modem connections (including a login and password of the user) and sends it on processing to a script to the following address (<SomeNum> - specific digital parameters):

http://flat.trafficadvance.net/AccessMySQL.IVRMobileEntra?D=<SomeNum>&C=<SomeNum>&MP=<SomeNum>
http://adulti.trafficadvance.net/AccessMySQL.IVRMobileEntra?D=<SomeNum>&C=<SomeNum>&MP=<SomeNum>

This trojan can change settings of DialUp-access and carry out the latent loading files from Internet if the modem install.

Removal instructions

1. Delete the original trojan file (its file name and location depends on the way the trojan originally penetrated the target computer).
2. Delete the following files:

   %WinDir%\Adulti.exe
   C:\Documents and Settings\<User>\Desktop\Adulti.lnk
   C:\Documents and Settings\<User>\Start Menu\Programs\NETVISION\Adulti.lnk
   C:\Documents and Settings\<User>\Start Menu\Programs\NETVISION\Adulti Disinstalla.lnk

3. Delete the following directory:

   C:\Documents and Settings\<User>\Start Menu\Programs\NETVISION\

4. Delete the registry keys:

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "NETVISIONAdulti" = "%WinDir%\Adulti.exe -A"

5. Change the DialUp-password.
6. Use Kaspersky Anti-Virus to delete the Trojan. Update your antivirus databases and perform a full scan of the compute.