Hey Frenzz....
The company "Doctor Web" reports about a new Trojan-blocker added to the virus database named Trojan.Winlock.5729. The peculiarity of this program, the blackmailer is that it blocks the operating system, using standard tools Windows, by changing the password of local users.
Traditionally, software-extortionists used to block the entrance to the operating system, a special application, which replaces a standard shell (shell) Windows or file userinit.exe and on a computer screen showing the text. Simultaneously, the malware usually monitors and prevents the launch of various support tools such as Task Manager, Command Prompt, Registry Editor, etc. It is a different, much simpler, but very original way the authors went Trojan.Winlock.5729.
Trojan hides in the popular program installation distribution Artmoney, designed to "cheat" a variety of resources in computer games. In addition to the actual installer Artmoney, the installer contains three files: the modified file named logonui.exe iogonui.exe (this file is responsible for demonstrating the GUI when a user logs in Windows XP) and two self-extracting archive containing the bat-files.When you download an infected installer starts the first of them, password_on.bat.This file contains a set of commands that perform testing of the operating system, if present on the hard drive folder c: \ users \, which is a characteristic feature of Windows Vista and Windows 7, the harmful components are removed, if the path is the Trojan believes he running on Windows XP. In this case Trojan.Winlock.5729 modifies the system registry, replacing the default when Windows own file logonui.exe iogonui.exe, and changes the password for the Windows account of the current user and local user names «admin», «administrator», «admin , "" administrator. " If the current user is in a restricted account, the work of the Trojan stops. Another bat-file - password_off.bat - removes all passwords in the registry returns the original value UIHost.
File iogonui.exe is a real authentic logonui.exe file that came with Windows XP, in which a resource editor has changed the standard line of Windows Welcome to the requirement to send a paid SMS.
Credentials : Portal of Russian Hackers
0 comments:
Post a Comment