Trojan:Win32/Injector.AF is a malicious program that is unable to spread of its own accord. It may perform a number of actions of an attacker's choice on an affected computer.
Installation
When executed, Trojan:Win32/Injector.AF copies itself to the following locations:
- <system folder>\445ee588acc0e9de1694.exe
- c:\documents and settings\administrator\application data\jnobiba\871ed650acc0e9de80ed.exe
- c:\documents and settings\administrator\local settings\temp\emppslffyg.pre
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
The malware modifies the following registry entries to ensure that its copy executes at each Windows start:
Adds value: "Userinit"
With data: "c:\windows\system32\userinit.exe,c:\windows\system32\445ee588acc0e9de1694.exe,"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
The malware deletes the original copy of the worm that was executed when the system restarts by making the following registry modification:
Adds value: "PendingFileRenameOperations"
With data: "c:\documents and settings\administrator\local settings\temp\emppslffyg.pre"
To subkey: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager
The malware utilizes code injection in order to hinder detection and removal. When Trojan:Win32/Injector.AF executes, it may inject code into running processes, including the following, for example:
Payload
Modifies system settings
Trojan:Win32/Injector.AF disables registry editing tools by making the following registry modification:
Adds value:
"DisableRegistryTools" With data:
"1"To subkey:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
This malware description was produced and published using our automated analysis system's examination of file SHA1 cabe5db169cccabde3010d9b5cfaadd6db8f4d00.
