ACM_KENILFE.B
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Trojan
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It modifies files, disabling programs and applications from properly running.
TECHNICAL DETAILS
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan drops the following copies of itself into the affected system:
- {Autocad installation folder}\acad.fas
- {Autocad fonts folder}\txtautoz.shx
It creates the following folders:
- C:\Bakdirectory
Other System Modifications
This Trojan modifies the following files:
- acad.mnl
NOTES:
It stores configuration information in the following registry location:
HKEY_CURRENT_USER\Software\fileken\settings
HKEY_CURRENT_USER\Software\KenFiles\settings
It sends a PING command to the following sites:
- {BLOCKED}36.100.100
- {BLOCKED}jxx.2288.org
It checks if the following files are present in the system, if found, deletes the found files:
- arxfucker.dll
- acad.sys
- acadsmu.fas
- acadapq.lsp
- acadappp.lsp
- acadapp.lsp
- dwgrun.bat
- winfas.ini
- acadiso.lsp
- acad.fas
- isomianyi.shx
- acad.fas1
- lcm.fas
- isohztxt.shx