Systweak Spyware Library
Systweak Spyware Library text
More than 21875 spyware signatures and growing
Microsoft Gold Certified Partner
Search in:
Trojan.Baton Analysis Report
Threat Submitted On: 6/7/2008 2:29:53 AM
Threat Analysed On: 6/7/2008 7:29:53 AM
Threat Updated On: 1/27/2011 9:15:00 AM
Type : Trojan
Symptoms of Baton
  • Performs illicit activities under the disguise of a useful program.
  • Download malicious code and programs such as keyloggers.
  • It is capable of fetching user’s personal and confidential information.
Information
Alias : Trojan.Win32.Baton.a
Md5 Hash : [097aea4286a8546fe591cb0dad678884]
File Size : [Not Available]

Technical Details

Here are the Technical findings of our analysis team after analyzing this malware in detail :-

Creates the following infected Files on user's System
Note:
Delete the following Files to remove Infection
File: ~systmp.bat
Path : %temp%

Md5Hash :cd8953aac3fbab9d0dbe023fbe1821fa ( 7141 bytes)
File: svchost.dll
Path : %windir%\system32\svchost\system

Md5Hash :( bytes)
File: [randomname].exe
Path : %workingdir%

Md5Hash :097aea4286a8546fe591cb0dad678884 ( bytes)
Creates the following child process(s) on execution:

%systemdrive%\docume~1\antisp~1.c10\locals~1\temp\~systmp.bat

%windir%\system32\attrib.exe attrib +s +h %windir%\system32\smss

%windir%\system32\attrib.exe attrib +s +h %windir%\system32\smss\system

%windir%\system32\attrib.exe attrib +s +h %windir%\system32\smss\* /s

%windir%\system32\attrib.exe attrib +s +h %windir%\system32\lsass

%windir%\system32\attrib.exe attrib +s +h %windir%\system32\lsass\system

%windir%\system32\attrib.exe attrib +s +h %windir%\system32\lsass\* /s

%windir%\system32\attrib.exe attrib +s +h %windir%\system32\svchost

%windir%\system32\attrib.exe attrib +s +h %windir%\system32\svchost\system

%windir%\system32\attrib.exe attrib +s +h %windir%\system32\svchost\system\dll

%windir%\system32\attrib.exe attrib +s +h %windir%\system32\svchost\* /s

%windir%\system32\net.exe net start windows internet

net1 start windows internet

services.exe

NOTE:

1. %temp% Refers to the windows temp folder. By default it is 'C:\Documents and Settings\[user]\Local Settings\Temp'
2. %windir% Refers to the windows root folder. By default it is 'C:\Windows'
3. %workingdir% Refers to the current directory in which user is working.

Important: We strongly recommend that you backup the Registry before making any changes to it. Incorrect changes to the Registry can result in permanent data loss or corrupted Files. Modify the malicious\suspicious Subkeys only.

Click Here for more spywarelib.com recommended PC Security and Optimization Tools

To modify registry entries in Windows Operating System:
Follow Steps:
1. Click Start > Run
2. Type “regedit” : to open registry editor
3. Navigate to required registry Key from the Left Tree control and modify accordingly.


Microsoft Gold Certified Partner

© Systweak Inc., 1999-2011 All rights reserved.