Gepost.M_2 is a Trojan. A Trojan is a program that pretends to have a valid use, but in fact modifies the user's computer in malicious way. Trojans do not replicate or spread to other computers. Gepost.M_2 is compressed using the executable packer and its file size is 45,412 bytes. Gepost.M_2 drops the following files on the hard drive: - C:\WINDOWS\system32\WTYZTOUUWORVWZXZVOSVUUV\scservice.exe (45980 bytes)
- C:\WINDOWS\system32\JGLMGBHHJBEIJMKMIBFIHHI\fvge968.exe (45848 bytes)
- C:\WINDOWS\system32\WTYZTOUUWORVWZXZVOSVUUV\servicess.exe (46084 bytes)
- C:\WINDOWS\system32\WTYZTOUUWORVWZXZVOSVUUV\mirror.exe (46192 bytes)
- C:\WINDOWS\system32\WTYZTOUUWORVWZXZVOSVUUV\netdhcp.exe (46316 bytes)
It also changes Windows registry: - Creates value "fvge968"="C:\WINDOWS\system32\JGLMGBHHJBEIJMKMIBFIHHI.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
- Creates key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe".
- Sets value "Debugger"="C:\WINDOWS\system32\JGLMGBHHJBEIJMKMIBFIHHI\services.exe" in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe".
It creates the following mutex to ensure only one instance is running: 869egvf. It also contains anti-debugging code, is executed every time Windows starts, attempts to acquire the "SeDebugPrivilege" privileges,
|
