Trojan.Win32.Diamin.jo

From Total Malware Info

Jump to: navigation, search

Trojan program which carries out destructive actions on a computer.It is a Windows PE EXE file. It's size is 29288 bytes. It is packed with UPX. The unpacked file is approximately – 80 KB in size. It is written in Delphi.

Installation

Once launched, the trojan copies itself to the Windows root directory as "Netvision.exe": 

%WinDir%\Netvision.exe

It then registers this file in the system registry: 

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Fast Track" = "Netvision.exe"

This ensures that the trojan will be launched each time Windows is booted.

It then creates the following link on the Desktop: 

C:\Documents and Settings\<UserName>\Desktop\Internet.lnk

It looks so:

This link refers to the trojan copy: 

%WinDir%\Netvision.exe

Payload

This trojan changes start page in the "Internet Explorer": 

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://my-search.ws"

It stores file: 

%System%\drivers\etc\hosts

as 

%System%\drivers\etc\hosts.nv

and adds following string to it: 

67.15.57.172 auto.search.msn.com #NETVISION
Also trojan creates the following parameters in the system registry: 
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
{0888cac2-2b33-11dc-b3da-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
{0888cac5-2b33-11dc-b3da-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
{00139a34-7647-11dc-aaa2-806d6172696f}]
"BaseClass" = "Drive"

If modem is installed trojan may change its options and download files from Internet.

Removal instructions

  1. Delete the original trojan file (its file name and location depends on the way the trojan originally penetrated the target computer).
  2. Delete the following files: 
    %WinDir%\Netvision.exe
%System%\drivers\etc\hosts.nv
C:\Documents and Settings\<UserName>\Desktop\Internet.lnk
  3. Delete the registry keys: 
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Fast Track" = "Netvision.exe"
  4. liDelete the following parameters in the system registry: 
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
{0888cac2-2b33-11dc-b3da-806d6172696f}]
"BaseClass"="Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
{0888cac5-2b33-11dc-b3da-806d6172696f}]
"BaseClass"="Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
{00139a34-7647-11dc-aaa2-806d6172696f}]
"BaseClass"="Drive"
  5. Restore start page in the "Internet Explorer".
  6. Use Kaspersky Anti-Virus to delete the Trojan. Update your antivirus databases and perform a full scan of the computer.
Retrieved from "http://www.totalmalwareinfo.com/eng/Trojan.Win32.Diamin.jo"
Language
© 2010 "Design and Test Lab", LLC. All rights reserved.