Troj/RKDepo-A

Please follow the instructions for removing Trojans.

Troj/RKDepo-A is a Trojan rootkit downloader for the Windows platform.

Troj/RKDepo-A attempts to hide information about its files and registry entries.

Troj/RKDepo-A periodically attempts to download and execute files from a number of websites. Troj/RKDepo-A is a Trojan rootkit downloader for the Windows platform.

Troj/RKDepo-A attempts to hide information about its files and registry entries, providing stealthing by directly manipulating structures in the system kernel.

When first run Troj/RKDepo-A copies itself to <System>\sxlntr.exe and creates the clean log file <Temp>\dgkmldgmdfgdf.tjh.

Troj/RKDepo-A attempts to set the following registry entries to run itself on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
hdloker
<path to Trojan>

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
hdloker
<path to Trojan>

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<path to Trojan>

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
run
<path to Trojan>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
hdloker
<path to Trojan>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
hdloker
<path to Trojan>

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
load
<path to Trojan>

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
run
<path to Trojan>

The following registry entry is set to run sxlntr.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe <path to Trojan>

(the default value for this registry entry is "Explorer.exe" which causes the Microsoft file <Windows>\Explorer.exe to be run on startup).

Troj/RKDepo-A creates the following registy entry with a unique number to identify the infected computer:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
WINID

Troj/RKDepo-A periodically attempts to download and execute files from a number of websites to <Temp>\<randum numbers>.exe.