|
|
|
VIRUS
NAME : Reboot-R
Trojan
Characteristics
This trojan shuts down the
host machine upon execution and at subsequent Windows startup. It utilises a
system tool that is only included with Windows XP (by default). It is written
in Visual Basic, and at the time of writing AVERT has received two samples from
the field.
When run on the victim machine, the trojan uses a system tool (c:\windows\system32\shutdown.exe
- hardcoded in the trojan) to shutdown the victim machine in 60 seconds. A fake
comment is passed to the tool, spoofing a message shown in a message box with
title "SYSTEM SHUTDOWN".
The trojan also copies itself to the Windows Startup directory as 'rundll32.exe'
to run at subsequent system startup (causing a reboot loop):
C:\Documents
and Settings\All Users\Start Menu\Programs\Startup\rundll32.exe
On non-XP machines, the trojan copies itself to the Windows Startup folder as
above, but is rendered harmless due to shutdown.exe not being installed (by
default). A system error message is observed.
Symptoms
above message box displayed
at system startup
machine shutting down after
restart
Method
Of Infection
The trojan infects the victim machine when it is executed. By copying itself
to the Windows Startup folder, it is executed at subsequent startup.
|
|
|
