|
Trojan.Zeraf is a destructive
Trojan horse that deletes critical system files. If it has
executed, you will no longer be able to run Windows.
This Trojan is programmed in
Delphi and distributed as a UPX-packed, self-extracting RAR
archive. (UPX is a runtime compressor for Windows executable
files).
When the Trojan is run, it inserts
the actual Trojan executable on the hard disk as C:\Zeraful\Zeraful.exe
and then executes that file.
Trojan.Zeraf displays the following
program interface as it attempts to scan the system:
While counting to 100%, the
destructive payload activates. It attempts to delete the following
files:
- C:\Angelus.ang
- C:\Windows\User.dat
- C:\Windows\System.dat
- C:\Command.com
- C:\Autoexec.bat
- C:\Windows\System\Bios.vxd
- C:\Windows\System\Pci.vxd
- C:\Windows\System\Pcimp.pci
- C:\Windows\System32\Drivers\Hidparse.sys
- C:\Windows\System32\Drivers\Hidclass.Sys
- C:\Windows\System32\Drivers\Hidvkd.Sys
- C:\Windows\System\Vmm32.vxd
- C:\Windows\Win.ini
- C:\Windows\Inf\Msmouse.inf
- C:\Windows\Inf\Msmouse.pnf
- C:\Windows\System\Mouse.drv
- C:\Windows\System\Msmouse.vxd
- C:\Windows\System\Keyboard.drv
- C:\Windows\Inf\Keyboard.inf
- C:\Windows\Inf\Keyboard.pnf
- C:\Config.sys
- C:\Windows\Command\Country.sys
- C:\Windows\Command\Display.sys
- C:\Windows\Emm386.exe
- C:\Windows\Himem.sys
- C:\Windows\Command\Keyboard.sys
- C:\Windows\Command\Keybrd2.sys
- C:\Msdos.sys
- C:\Io.sys
- C:\Windows\System.ini
- C:\Windows\Rundll.exe
- C:\Windows\Rundll32.exe
- C:\Windows\Defrag.exe
- C:\Windows\Explorer
- C:\Windows\Regedit.exe
- C:\Windows\Notepad.exe
- C:\Windows\Paint.exe
|
