Trojan.Win32.SecondThought
Details
Trojan.Win32.SecondThought.c
Trojan.Win32.SecondThought.c has two component parts.
The first is written in Visual C++ and compressed using UPX. The compressed size is 24288 bytes, and the decompressed size - 48864 bytes.
Installation
When installing the Trojan downloads a file from http://www.2n****ought.com/files/loader.exe, saves it as stcloader.exe in the Windows system directory and registers the files as a key to enable auto-run in the system registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Payload
Once installed, the Trojan launches stcloader.exe
The second component part (stcloader.exe) is written in Visual C++ and compressed using UPX. The compressed size is 27648 bytes, and the decompressed size is 66048 bytes.
Installation
Stcloader.exe secretly installs itself in Program Files and registers itself in the system registry.
Payload
Stcloader.exe creates Second Thought.lnk on the Desktop with a link to itself, and Eliminate Pop-Ups with a link to http://www.ki****op-ups.com/block.php?ref=desktop. This causes advertising to be shown while the Internet is being used. The program collects information on which sites and resources interest the user, and sends this information to the creator of the virus. It also adds a Search tool bar to the browser.
Related Posts