Trojan.Fotomoto.A

SYMPTOMS:

Presence of a key named "DomaineService" in "HKLM\Sytem\CurentControlSet\Services\Run"
Presence of a process with a random name which changes the PID (Process ID) every second (the process restarts itself often)

TECHNICAL DESCRIPTION:

Trojan.Fotomoto.A is an trojan with adware functionality.
When installed this version performs the following actions:

a) It connects to a internet server and reports some basic
informations about that computer and then receives from that server
some informations about that computer, informations stored in a
database on that server. Those informations also include a date when that
computer was added to that database.

b) It modifies the following registry entry:
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
   "SFCDisable" = "4"

c) If modifies the following registry entry:
   HKEY_LOCAL_MACHINE\Sytem\CurentControlSet\Services\Run\
   "DomaineService" = path to trojan

Removal instructions:

Please let BitDefender disinfect your files.

ANALYZED BY:

Sorin Ciorceri, virus researcher