File Name: irat. rmvb \ mm.exe
File Size: 140800 bytes
AV Name:
Downloader. win32.delf. dqu (Kaspersky)
MultiDropper-Jd (McAfee)
Downloader/w32.agent. 137216. I (nprotect)
Shelling method: Not
Programming Language: Delphi
File MD5: 1b2cf1cdcb03c7c990c6ffe5a75e0f9b
Virus Type: Backdoor
Behavior Analysis:
1. Release virus copies:
C: \ windows \ system32 \ irat. rmvb 130194 bytes
2. Register as a system service and activate svchost.exe:
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ irat
Category name: {No category}
Value 0
Name: Type
Type: REG_DWORD
Data: 0x110
Value 1
Name: Start
Type: REG_DWORD
Data: 0x2
Value 2
Name: errorcontrol
Type: REG_DWORD
Data: 0x0
Value 3
Name: ImagePath
Type: reg_expand_sz
Data: % SystemRoot % \ system32 \ svchost.exe-K audiosrvc
Value 4
Name: displayname
Type: REG_SZ
Data: irat
Value 5
Name: objectname
Type: REG_SZ
Data: LocalSystem
Value 6
Name: Description
Type: REG_SZ
Data: System Process
3. After completing the above work, release delex. BAT and delete itself.
4. Use the svchost process to reverse connect to the outside and accept remote control.
5. Check whether your registry key and file exist at intervals. If not, generate a new one.
Solution:
1. Download Sreng (download from down.45it.com), restart your computer, and press F8 to enter safe mode.
2. Use Sreng to delete this service item:
[Irat/irat] [running/disabled]
{C: \ windows \ system32 \ svchost.exe-K audiosrvc --} c: \ windows \ system32 \ irat. rmvb }{}
3. Delete hard disk files:
C: \ windows \ system32 \ irat. rmvb