Troj/Harnig-AL is a downloader Trojan.
Troj/Harnig-AL runs as a service process downloading files from several remote destinations to the files TOOLBAR.EXE, TEST, MSTASKS1.EXE, MSTASKS2.EXE and MSTASKS3.EXE in the Windows folder and to DKTIBS.EXE and SYSTIME.EXE in the Windows system folder. At the time of writing DKTIBS.EXE is detected as Troj/Dloader-CX and the other files are all corrupt executables and will not run.
Troj/Harnig-AL attempts to delete the file HOSTS in the Windows folder and in the DRIVERS\ETC subfolder of the Windows system folder and replaces them with the following which redirects certain websites to the loopback address:
127.0.0.3 n-glx.s-redirect.com
127.0.0.3 x.full-tgp.net
127.0.0.3 counter.sexmaniack.com
127.0.0.3 autoescrowpay.com
127.0.0.3 www.autoescrowpay.com
127.0.0.3 www.awmdabest.com
127.0.0.3 www.sexfiles.nu
127.0.0.3 awmdabest.com
127.0.0.3 sexfiles.nu
127.0.0.3 allforadult.com
127.0.0.3 www.allforadult.com
127.0.0.3 www.iframe.biz
127.0.0.3 iframe.biz
127.0.0.3 www.newiframe.biz
127.0.0.3 newiframe.biz
127.0.0.3 www.vesbiz.biz
127.0.0.3 vesbiz.biz
127.0.0.3 www.pizdato.biz
127.0.0.3 pizdato.biz
127.0.0.3 www.aaasexypics.com
127.0.0.3 aaasexypics.com
127.0.0.3 www.virgin-tgp.net
127.0.0.3 virgin-tgp.net
Troj/Harnig-AL attempts to terminate processes related to the following files:
telnet.exe
loadclean.exe
ykyrtws.exe
printer32.exe
printer.exe
exdl.exe
fnnmqi.exe
iinstall.exe
optimize.exe
actalert.exe
istsvc.exe
Winad.exe
WinClt.exe
bargains.exe
ttgkirnl.exe
Installer2.exe
bdl74125.exe
powerscan.exe
alchem.exe
sidefind.exe
host32.exe
teur.exe
usb.exe
twink64.exe
intronet.exe
intron.exe
ir.exe
lpt.exe
PEPEmsPE.exe
s-PEPE.exe
winmm64.exe
fucker.exe
exploit.exe
file.exe
bitmap.tmp
msxmidi.exe
services.exe