Follow:

You have been re-routed to the TrojanDropper:Win32/Festi.C write up because TrojanDropper%3aWin32%2fFesti.C has been renamed to TrojanDropper:Win32/Festi.C
 

TrojanDropper:Win32/Festi.C


TrojanDropper:Win32/Festi.C is a trojan that installs Backdoor:WinNT/Festi.C, a trojan backdoor that allows backdoor access and control to an infected computer.


What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

TrojanDropper:Win32/Festi.C is a trojan that installs Backdoor:WinNT/Festi.C, a trojan backdoor that allows backdoor access and control to an infected computer.
Payload
Drops other malware
When run, TrojanDropper:Win32/Festi.C drops a kernel-mode driver and a batch script as the following:
 
  • <system folder>\drivers\<random file name>.sys - Backdoor:WinNT/Festi.C,
  • %TEMP%\<random file name>.bat - batch script utility, removes TrojanDropper:Win32/Festi.C
 
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
 
TrojanDropper:Win32/Festi.C installs a service for the dropped kernel-mode driver, which is then loaded into memory. Once loaded, the driver runs the batch script to delete the malware copy.
 
TrojanDropper:Win32/Festi.C also checks if it is running in a virtual machine, and exits if this is true.
 
Analysis by Elda Dimakiling

Symptoms

Alert notifications or detections of this malware from installed antivirus or security software may be the only other symptoms.

Prevention


Alert level: Severe
First detected by definition: 1.93.1092.0
Latest detected by definition: 1.175.1267.0 and higher
First detected on: Nov 03, 2010
This entry was first published on: Nov 03, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Rootkit.Tent.CB (VirusBuster)
  • Win32/Rootkit.Agent.NRD (ESET)
  • Rootkit.Win32.Tent (Ikarus)
  • Rootkit.Win32.Tent.cee (Kaspersky)
  • Hacktool.Rootkit (Symantec)