PE_TENGA.A
Windows
Threat Type: File infector
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This file infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It infects by appending its code to target host files. It creates an infection marker in infected files.
It executes commands from a remote malicious user, effectively compromising the affected system. However, as of this writing, the said sites are inaccessible.
As of this writing, the said sites are inaccessible.
TECHNICAL DETAILS
Arrival Details
This file infector may arrive via network shares.
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This file infector adds the following mutexes to ensure that only one of its copies runs at any one time:
- gaelicum
It injects codes into the following process(es):
- winlogon.exe
File Infection
This file infector infects the following file types:
- .EXE
It infects the following file types in shared networks to ensure its propagation:
- .EXE
It infects by appending its code to target host files.
It creates an infection marker in infected files.
It avoids infecting the following files:
- ntoskernel.exe
Backdoor Routine
This file infector executes the following commands from a remote malicious user:
- Execute arbitrary codes
It connects to the following URL(s) to send and receive commands from a remote malicious user:
- vx9.users.{BLOCKED}d.at:54321
However, as of this writing, the said sites are inaccessible.
Download Routine
This file infector connects to the following website(s) to download and execute a malicious file:
- http://utenti.{BLOCKED}s.it/vx9/dl.exe
It saves the files it downloads using the following names:
- {Malware path}\dl.exe
As of this writing, the said sites are inaccessible.
NOTES:
It does not have rootkit capabilities.
It does not exploit any vulnerability.
SOLUTION
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.
Step 3
Restart in Safe Mode
Step 4
Search and delete these files
- {Malware path}\dl.exe
Step 5
Restart in normal mode and scan your computer with your Trend Micro product for files detected as PE_TENGA.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Step 6
Download and apply these security patches Refrain from using these products until the appropriate patches have been installed. Trend Micro advises users to download critical patches upon release by vendors.
Did this description help? Tell us how we did.