- Security Center
- English ▾
Size: 16896 bytes
Aliases : Backdoor:Win32.Poison
Trojan.Win32.Generic!BT is a Trojan which extracts from itself another malicious program providing the attacker with unauthorized remote access to the infected computer. The Trojan is installed on the system by another malicious program which uses the critical vulnerability CVE-2012-4969.
Once activated, the Trojan locates its original body in the current user's Windows temporary folder with a randomly generated name:
where <rnd> is a random sequence of numbers, e.g.: "690046".
The Trojan disables Windows System File Checker by ending the threads of the winlogon.exe process which monitor the system file integrity:
The Trojan then replaces the mspmsnsv.dll system library. The mspmsnsv.dll file is a module responsible for providing Microsoft Media Device Service:
The file is 10240 bytes in size and it is detected as Trojan.Win32.Generic!BT by Ad-Aware.
For the replaced library mspmsnsv.dll, the file creation date and time are the same as for the "%System%\sfc.exe" file.
The Trojan then modifies the value of the WmdmPmSN system service start parameter:
Thus, the service will start automatically each time Windows starts.
The Trojan then runs the WmdmPmSN service which in its turn runs the modified system library mspmsnsv.dll within the context of svchost.exe. With the help of the library, the Trojan tries to connect to the command server for further performance of the attacker’s command:
When a description was created, the server did not work.
The Trojan body %Temp%\<rnd>.dat is removed next time Windows is booted using the registry key:
- Restore the registry key value (How to Work with System Registry):
- Restore the file:
- Clean the Temporary Internet Files folder, which contains infected files (How to clean Temporary Internet Files folder).
- Run a full scan of your computer using the Antivirus program with the updated definition database (Download Ad-Aware Free).
- Install and update: