Troj/Dloader-FS is a downloader Trojan for the Windows platform.
Troj/Dloader-FS will attempt to download and run a number of files from a remote website.
Troj/Dloader-FS will attempt to delete a number of files from the infected computer. The files are typically related to adware, but some are system files. The list includes the following files:
%SYSTEM%\host32.exe
%SYSTEM%\telnet.exe.tmp
%SYSTEM%\mouse.exe
%SYSTEM%\com.exe
%SYSTEM%\fnnmqi.exe
%SYSTEM%\exdl.exe
%SYSTEM%\exe2bin.exe
%SYSTEM%\exul.exe
%SYSTEM%\fastopen.exe
%SYSTEM%\mscdexnt.exe
%SYSTEM%\printer32.exe
%SYSTEM%\ykyrtws.exe
%SYSTEM%\lpt.exe
%SYSTEM%\ir.exe
%SYSTEM%\intron.exe
%SYSTEM%\intronet.exe
%SYSTEM%\intron.exe
%SYSTEM%\twink64.exe
%SYSTEM%\usb.exe
%SYSTEM%\intron.exe
%SYSTEM%\systime.exe
%SYSTEM%\dktibs.exe
Troj/Dloader-FS will delete a number of registry entries relating to adware.
The Trojan will attempt to terminate any active processes from the following list:
systime.exe, telnet.exe, ykyrtws.exe, printer32.exe, printer.exe, exdl.exe,
fnnmqi.exe, iinstall.exe, optimize.exe, actalert.exe, istsvc.exe, Winad.exe,
WinClt.exe, bargains.exe, ttgkirnl.exe, Installer2.exe, bdl74125.exe,
powerscan.exe, alchem.exe, sidefind.exe, host32.exe, teur.exe, usb.exe,
intronet.exe, intron.exe, ir.exe, lpt.exe
When first run, Troj/Dloader-FS will copy itself to the Windows system folder as KERNELS32.EXE. In order to run automatically, Troj/Dloader-FS will set the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
System
%SYSTEM%\kernels32.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe %SYSTEM%\kernels32.exe
Troj/Dloader-FS will alter the infected computer's internet security settings by adding registry entries to the following branches:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains213.159.117.133
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains213.159.117.133
Troj/Dloader-FS will attempt to disable the Windows Task Manager by setting the following registry entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
Troj/Dloader-FS creates a new version of the HOSTS file, mapping selected URLs to the address 127.0.0.3 in an attempt to deny access to these sites. The sites relate to adware and sex.