Home / malware Trojan.Disakil
First posted on 05 January 2016.
Source: SymantecAliases :
There are no other names known for Trojan.Disakil.
Explanation :
Once executed, the Trojan creates the following file:
%Temp%\=[RANDOM DIGITS]=.tmp
The Trojan deletes the following registry subkey:
HKEY_LOCAL_MACHINE\Software\MicrosoftApplicationMgr
Next, the Trojan overwrites several bytes of data at the beginning of the following file:
[PATH TO FILE]\sec_service.exe
The Trojan also overwrites several bytes of data at the beginning of files smaller than 1,048,576 bytes found on fixed or remote drives that have the following extensions:
.accdb.bin.bmp.boot.cfg.crt.db.dbf.djvu.doc.docx.exe.ini.iso.jar.jpeg.jpg.lib.mdb.mdf.msi.pdf.ppt.pptx.rar.rtf.sql.tib.tiff.txt.vhd.xls.xlsx.xml.zip
The Trojan also overwrites several bytes of data at the beginning of files found in the c:\windows\ folder with the following extensions:
.dll.exe.xml.ttf.nfo.fon.ini.cfg.boot.jar
The Trojan may also end all processes except for the following:
73.exeaudiodg.execonhost.execsrss.exedwm.exeexplorer.exekomut.exelsass.exelsm.exeservices.exeshutdown.exesmss.exespoolss.exespoolsv.exesvchost.exetaskhost.exewininit.exewinlogon.exewuauclt.exe
The Trojan may also perform the following actions:
End and delete the sec_service serviceEnd sec_service.exeEnumerate all drives on the compromised computer and then deletes the master boot record (MBR) on the first 10 drives foundClear application, security, setup, and system event logsRestart the computerLast update 05 January 2016
