TROJ_ANTIA1.TOMS
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Trojan
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This Trojan may be unknowingly downloaded by a user while visiting malicious websites.
TECHNICAL DETAILS
577,536 bytes
EXE
Yes
04 May 2011
Drops files
Arrival Details
This Trojan may be unknowingly downloaded by a user while visiting malicious websites.
Installation
This Trojan adds the following folders:
- %User Temp%\ituamt
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)
It drops and executes the following files:
- %User Temp%\tmntswpqwvz.exe - detected by Trend Micro as TROJ_VILSEL.SMO
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)
It drops the following non-malicious file:
- %User Temp%\ituamt\ihwqqlazsgegqfnwvkee
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)
Other System Modifications
This Trojan adds the following registry entries as part of its installation routine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
EnableLUA = 0