is a trojan that installs Backdoor:WinNT/Festi.C
, a trojan backdoor that allows backdoor access and control to an infected computer.
Drops other malware
When run, TrojanDropper:Win32/Festi.C drops a kernel-mode driver and a batch script as the following:
<system folder>\drivers\<random file name>.sys - Backdoor:WinNT/Festi.C,
%TEMP%\<random file name>.bat - batch script utility, removes TrojanDropper:Win32/Festi.C
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
TrojanDropper:Win32/Festi.C installs a service for the dropped kernel-mode driver, which is then loaded into memory. Once loaded, the driver runs the batch script to delete the malware copy.
TrojanDropper:Win32/Festi.C also checks if it is running in a virtual machine, and exits if this is true.
Analysis by Elda Dimakiling
Alert notifications or detections of this malware from installed antivirus or security software may be the only other symptoms.