Hi nitin1612,
Recognition of a NTOS.exe infection:
As soon as this Trojan horse has been activated, it creates the following mute, seeing to it that only one copy of the threat is actively running on the infected machine:
__SYSTEM__64AD0625__
The Trojan then checks whether the following firewall programs are active on the infected machine:
• ZLCLIENT.EXE
• OUTPOST.EXE
Then the Trojan collects the following information on the infected computer:
• Version of Operational System OS?
• If Service Pack 2 has been installed?
• What language the system has running?
Then the Troajan copies itself to the following location and adds random data to the file to vary its file size:
%System%\ntos.exe
The Trojan then creates the following folder with hidden system attributes:
%System%\wsnpoem
The Trojan horse then creates the following files that are being initially used to gather information and secondly to save the encrypted configuration of the Trojan:
• %System%\wsnpoem\audio.dll
• %System%\wsnpoem\video.dll
Then the Trojan horse creates the following registry entries, that are being executed every time at at start-up:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"userinit" = "%System%\ntos.exe"
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\"userinit" = "%System%\ntos.exe"
The Trojan also changes the following registry entrance to be executed every time Windows starts up:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Userinit" = "%System%\userinit.exe, %System%\ntos.exe"
Then it injects malicious code into the following running processes:
• WINLOGON.EXE
• SVCHOST.EXE
The Trojan horse is threatening towards all running process files, except the following process
CSRSS.EXE
The Trojan also creates a couple of the following mutexes to synchronize all active threats that are running under memory:
• __SYSTEM__23D80F10__
• __SYSTEM__45A2F601__
• __SYSTEM__7F4523E5__
• __SYSTEM__91C38905__
The injected code will try to prevent that the Trojan is deleted by blocking entrance to deleting all malicious files. The Trojan horse will regenerate all sub keys that are associated to malicious files that have been deleted.
Then the Trojan horse can create the following registry entries being infection markers:
HKEY_LOCAL_MACHINE\Software\microsoft\windows nt\currentversion\network\"UID" = "[COMPUTERNAME]_[UNIQUE_ID]"
HKEY_CURRENT_USER\Software\microsoft\windows\currentversion\explorer\"{6780A29E-6A18-0C70-1DFF-1610DDE00108}" = "[HEXADECIMAL VALUE]"
HKEY_CURRENT_USER\Software\microsoft\windows\currentversion\explorer\"{F710FA10-2031-3106-8872-93A2B5C5C620}" = "[HEXADECIMAL VALUE]"
The Trojan deleted all cookies in the URL of Internet Explorer making that users have to write their user name and password every time again whenever they log in to their bank account website.z
The Trojaanse saves info to steal passwords from the infected machine.
Then it hijacks following system functions in NTDLL.DLL using rootkit techniques to enable malicious code is injected into every process:
• NtCreateThread
• LdrLoadDll
• LdrGetProcedureAddress
The Trojan tries to hijack the following functions from the WININET.DLL libarary to check network functions and to steal confidential private data:
• HttpSendRequestW
• HttpSendRequestA
• HttpSendRequestExW
• HttpSendRequestExA
• InternetReadFile
• InternetReadFileExW
• InternetReadFileExA
• InternetQueryDataAvailable
• InternetCloseHandle
The Trojan tries to steal the following functions of WS2_32.DLL and WSOCK32.DLL libraries to check confidential net info:
• send
• sendto
• closesocket
• WSASend
• WSASendTo
The Trojan also tries to hijack the following functions of the USER32.DLL library with similar aims:
• GetMessageW
• GetMessageA
• PeekMessageW
• PeekMessageA
• GetClipboardData
The Trojan can change to change the contents of the following host file:
%System%\drivers\etc\.
The Trojan can execute the following activities on an infected machine:
• Hijacking network traffic
• Keylogging
• Stealing clipboard information
• Saving screenshots of present desktop
• Re-directing all traffic
The Trojan horse has been configured to look for specific keywords that are being typed inside URL and HTTP packets:
• *Tan*
• *Schmetterling*
• *berweisung*
• *Amount*
• *tanentry*
• *RESULT2*
• *citibank.de/*
• I2=*&H0=DT
• *banking.*/cgi/ueber*.cgi*
• ###=######&tid=*
• [https://]onlineeast.bankofamerica.com/cgi-bin/ias/*/GotoW[REMOVED]
• CustomerServiceMenuEntryPoint?custAction=75
• bankofamerica.com/cgi-bin/ias/*/GotoWelcome
• *
Good luck cleansing this "rotter" from your computer,
polonus