Content

Generic PWS.o

Type
Trojan
SubType
Win32
Discovery Date
04/06/2005
Length
varies
Minimum DAT
4463 (04/06/2005)
Updated DAT
6709 (05/12/2012)
Minimum Engine
5.4.00
Description Added
04/06/2005
Description Modified
10/18/2011 5:38 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

--Updated on August 19, 2011 -----------------

File Information

  • MD5  - b1471974456bcad1ccd7b16b1ea31e9b
  • SHA  - 6a1d5f6fc251bb4f5e0e97039d0b5cc525ca92f5

Aliases

  • Kaspersky - Backdoor.Win32.Agent.bojx
  • NOD32     - a variant of Win32/Farfli.FX
  • Ikarus       - Trojan-Spy.Win32.Zener
  • Microsoft - TrojanSpy:Win32/Zener.A

Upon execution the Trojan injects itself connects to the site mete[Removed IP] through a remote port 80.

The following registry value has been added.

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    Kris  = " %UserProfile%\Desktop\1.exe"

--Updated on March 04, 2010 -----------------

File Information

  • MD5  -  2C3A612B7A40A1014A74064EBCD9C39F
  • SHA  - 5E844E4603027A6BE855F4EF2D679A72FBCC224E

Aliases

  • Kaspersky - Trojan.Win32.Scar.dptf
  • NOD32     - Win32/Pinit.BH
  • Ikarus       - Trojan.Win32.Scar
  • Microsoft - Trojan:Win32/Mariofev.B

Upon execution the Trojan injects itself with explorer.exe and connects to the site mete[Removed]let.com through a remote port 80.

When executed, the Trojan copies itself into the following location:

  • %Appdata%\Microsoft\Internet Explorer\report.exe

And drops following files:

  • %Appdata%\Help\a.dll
  • %Appdata%\Help\d.dll
  • %Appdata%\Help\n.dll
  • %Appdata%\Help\o.dll
  • %Appdata%\Help\p.dll

The following registry key has been added to the system.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WMIC
  • HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_CURRENT_USER\S-1-(Varies)\CurrentVersion\Driversx
  • HKEY_CURRENT_USER\S-1-(Varies)\CurrentVersion\Driversx64
  • HKEY_CURRENT_USER\S-1-(Varies)\CurrentVersion\WOW
  • HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Wbem
  • HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Wbem\WMIC

The following registry value has been added.

  • HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\RunOnce\3A83D5AF9C2141B93A805F86F22C4B82959923278DBC46AFE4932FBB1CBD4E0C: ""%Appdata%\Microsoft\Internet Explorer\report.exe""

The above mentioned registry ensures that, the Trojan registers run entry with the compromised system and execute itself upon every boot.

  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\]
    “c:\windows\explorer.exe” = "c:\windows\explorer.exe:*:Enabled:explorer"

[%UserProfile% is c:\Documents and Settings\Administrator\, %Temp% is C:\Documents and Settings\Administrator\Local Settings\Temp\ and %SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\]

----------------------------------------------------------------------------

---Updated on December 22, 2010 ---------------

File Information:

  • MD5: b518cb66c5b25e6c84c0a247d8cbf8dd
  • SHA: 3e25519b2f0353499495254743559e1a4abbe707

Aliases:

  • NOD32     - a variant of Win32/PSW.OnLineGames.PPQ
  • Symantec   - W32.Gammima.AG
  • Kaspersky - Trojan-GameThief.Win32.Magania.ebni
  • Comodo    - TrojWare.Win32.Trojan.Agent.Gen

Upon execution the Trojan injects itself with IExplore.exe and connects to the site ba[Removed]uj8y.com through a remote port 80.

The Trojan copies itself into the below mentioned location.

  • %SystemDrive%\jxc.exe
  • [Removable Drive]:\JXC.exe

And drops the following file.

  • %SystemDrive%\autorun.inf
  • [Removable Drive]:\autorun.inf
  • %Temp%\rbking.exe
  • %Temp%\rbking0.dll

And drops an autorun.inf file into the root of all removable drives and mapped drives in an attempt to autorun an executable when the drive is accessed.

The file "AutoRun.inf" is pointing to the malware binary executable, when the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The autorun.inf is configured to launch the trojan file via the following command syntax.

  • [AutoRun]
  • open=jxc.exe
  • shell\open\Command=jxc.exe

The following registry values have been added.

  • HKEY_USERS\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Run\]
    "king_rb: "%Temp%\rbking.exe"

The above mentioned registry key confirms that the Trojan executes every time when windows starts.

The following registry key has been modified:

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\]
    “CheckedValue” = “0x00000000”
  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]
    “Hidden” = “0x00000000”
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\]
    “CheckedValue” = “0x00000001”
  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]
    Hidden = 0x00000002
  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]
    ShowSuperHidden = 0x00000000

The above mentioned registry entries confirms that the Trojan prevents the compromised user to view the hidden files and folders in the system.

----------------------------------------------------------------------------------------------------

-----Updated on December 18, 2010 ---------------

File Information

  • MD5  -  65AAEF9437B53EC7F727BE297FE97B39
  • SHA  - 15FBF4EB373D83E3DD2D860C096DD443E8882A6A

Aliases

  • Kaspersky - Trojan-PSW.Win32.Agent.vet
  • GData       - Trojan.Generic.5190340
  • Ikarus       - Trojan-Spy
  • F-Secure - Trojan.Generic.5190340

The Trojan tries to connect to the site abcbb.9[Removed]23.com.

It then downloads file msimage.dat, which gathers machine information and sends into the above mentioned site.

It creates a registry run key to load itself at start up.

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

---------------------------------------------------------------------------------------------------

Update: 07/09/2010

There is a new variant of Generic PWS.o that could download malwares and monitor visited websites.

Drops the file:

%ProgramFiles%\internet explorer\setupapi.dll (also detected as Generic PWS.o)

it then opens the internet explorer and attempts to connect to the any of the following domain:

  • mvenfor.com
  • atlantisian.org
  • subcrawler.net
  • servicedm.cn
  • allworld20.net
  • google-marks.com

--------------------------------------------------------------------------

Update: 07/10/2008

A new variant of Generic PWS.o, it captures keystrokes .

Drop the following files :

  • %WinDir%\system32\beep.sys
  • %WinDir%\system32\ds.dat
  • %WinDir%\system32\gwin32.dll
  • %WinDir%\system32\swin32.dll
  • %WinDir%\randseed.rnd
  • Delete the following files of the system :
  • %WinDir%\system32\clb.dll
  • %WinDir%\system32\clbcatex.dll
  • %WinDir%\system32\clbcatq.dll
  • %WinDir%\system32\dllcache\clb.dll
  • %WinDir%\system32\dllcache\clbcatex.dll
  • %WinDir%\system32\dllcache\clbcatq.dll

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

Add the following registry keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FFFFFFFF-85A3-452b-B7A8-759AD9B42162}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-85A3-452b-B7A8-759AD9B42162}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\clbImageData
  • HKEY_LOCAL_MACHINE\SOFTWARE\MRSoft
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\clbdriver.sys
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\clbdriver.sys
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\clbdriver
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\clbdriver.sys
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\clbdriver

--------------------------------------------------------------------------

Update: 05/24/2007

A new variant of Generic PWS.o is being downloaded via malicious URLs. This variant when executed injects a DLL in explorer.exe memory space to download various online game password stealers.

The DLL is dropped in %programfiles%\Internet Explorer folder with the following names:

  • BinNice.dll
  • HiJack.dll
  • RomDrivers.dll

The trojan copies itself in %programfiles%\Internet Explorer folder with following names

  • BinNice.bak
  • HiJack.bak
  • RomDrivers.bak

The trojan attempts to download other online game password stealer trojans from the following malicous URLs. These URLs host exploits like MS06-014 and MS07-017 .

  • hxxp://16a.us
  • hxxp://7y7.us
  • hxxp://ws91.com
  • Registry changes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{09B68AD9-FF66-3E63-636B-B693E62F6236}\InProcServer32\: "%programfiles%\Internet Explorer\"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{09B68AD9-FF66-3E63-636B-B693E62F6236}:

Update: 04/20/2007

A variant of Generic PWS.o is being downloaded by Generic Downloader.ab. This variant is being injected into Explorer.exe process and tries to communicate with 81.29.241.20 to send captured information to the author.
It will be looking for POP, FTP, IMAP and ICQ passwords.
--------------------------------------------------------------------------

This is a password stealing trojan that captures keystrokes and sends notification and captured information to the author via HTTP. Online email and bank account information (username/password) is particularly vulnerable to this threat.

There are several variants of the trojan. The description is for a specific sample.

When run, the trojan copies itself to %Sysdir% directory. The following file names are used:

MSSVC.EXE

It creates a registry run key to load itself at Windows start up.

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    "winnsvc" = "msvc.exe"

Symptoms

These symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants

Variants

    N/A

All Information

Overview -

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

--Updated on August 19, 2011 -----------------

File Information

  • MD5  - b1471974456bcad1ccd7b16b1ea31e9b
  • SHA  - 6a1d5f6fc251bb4f5e0e97039d0b5cc525ca92f5

Aliases

  • Kaspersky - Backdoor.Win32.Agent.bojx
  • NOD32     - a variant of Win32/Farfli.FX
  • Ikarus       - Trojan-Spy.Win32.Zener
  • Microsoft - TrojanSpy:Win32/Zener.A

Upon execution the Trojan injects itself connects to the site mete[Removed IP] through a remote port 80.

The following registry value has been added.

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    Kris  = " %UserProfile%\Desktop\1.exe"

--Updated on March 04, 2010 -----------------

File Information

  • MD5  -  2C3A612B7A40A1014A74064EBCD9C39F
  • SHA  - 5E844E4603027A6BE855F4EF2D679A72FBCC224E

Aliases

  • Kaspersky - Trojan.Win32.Scar.dptf
  • NOD32     - Win32/Pinit.BH
  • Ikarus       - Trojan.Win32.Scar
  • Microsoft - Trojan:Win32/Mariofev.B

Upon execution the Trojan injects itself with explorer.exe and connects to the site mete[Removed]let.com through a remote port 80.

When executed, the Trojan copies itself into the following location:

  • %Appdata%\Microsoft\Internet Explorer\report.exe

And drops following files:

  • %Appdata%\Help\a.dll
  • %Appdata%\Help\d.dll
  • %Appdata%\Help\n.dll
  • %Appdata%\Help\o.dll
  • %Appdata%\Help\p.dll

The following registry key has been added to the system.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WMIC
  • HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_CURRENT_USER\S-1-(Varies)\CurrentVersion\Driversx
  • HKEY_CURRENT_USER\S-1-(Varies)\CurrentVersion\Driversx64
  • HKEY_CURRENT_USER\S-1-(Varies)\CurrentVersion\WOW
  • HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Wbem
  • HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Wbem\WMIC

The following registry value has been added.

  • HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\RunOnce\3A83D5AF9C2141B93A805F86F22C4B82959923278DBC46AFE4932FBB1CBD4E0C: ""%Appdata%\Microsoft\Internet Explorer\report.exe""

The above mentioned registry ensures that, the Trojan registers run entry with the compromised system and execute itself upon every boot.

  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\]
    “c:\windows\explorer.exe” = "c:\windows\explorer.exe:*:Enabled:explorer"

[%UserProfile% is c:\Documents and Settings\Administrator\, %Temp% is C:\Documents and Settings\Administrator\Local Settings\Temp\ and %SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\]

----------------------------------------------------------------------------

---Updated on December 22, 2010 ---------------

File Information:

  • MD5: b518cb66c5b25e6c84c0a247d8cbf8dd
  • SHA: 3e25519b2f0353499495254743559e1a4abbe707

Aliases:

  • NOD32     - a variant of Win32/PSW.OnLineGames.PPQ
  • Symantec   - W32.Gammima.AG
  • Kaspersky - Trojan-GameThief.Win32.Magania.ebni
  • Comodo    - TrojWare.Win32.Trojan.Agent.Gen

Upon execution the Trojan injects itself with IExplore.exe and connects to the site ba[Removed]uj8y.com through a remote port 80.

The Trojan copies itself into the below mentioned location.

  • %SystemDrive%\jxc.exe
  • [Removable Drive]:\JXC.exe

And drops the following file.

  • %SystemDrive%\autorun.inf
  • [Removable Drive]:\autorun.inf
  • %Temp%\rbking.exe
  • %Temp%\rbking0.dll

And drops an autorun.inf file into the root of all removable drives and mapped drives in an attempt to autorun an executable when the drive is accessed.

The file "AutoRun.inf" is pointing to the malware binary executable, when the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The autorun.inf is configured to launch the trojan file via the following command syntax.

  • [AutoRun]
  • open=jxc.exe
  • shell\open\Command=jxc.exe

The following registry values have been added.

  • HKEY_USERS\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Run\]
    "king_rb: "%Temp%\rbking.exe"

The above mentioned registry key confirms that the Trojan executes every time when windows starts.

The following registry key has been modified:

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\]
    “CheckedValue” = “0x00000000”
  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]
    “Hidden” = “0x00000000”
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\]
    “CheckedValue” = “0x00000001”
  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]
    Hidden = 0x00000002
  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]
    ShowSuperHidden = 0x00000000

The above mentioned registry entries confirms that the Trojan prevents the compromised user to view the hidden files and folders in the system.

----------------------------------------------------------------------------------------------------

-----Updated on December 18, 2010 ---------------

File Information

  • MD5  -  65AAEF9437B53EC7F727BE297FE97B39
  • SHA  - 15FBF4EB373D83E3DD2D860C096DD443E8882A6A

Aliases

  • Kaspersky - Trojan-PSW.Win32.Agent.vet
  • GData       - Trojan.Generic.5190340
  • Ikarus       - Trojan-Spy
  • F-Secure - Trojan.Generic.5190340

The Trojan tries to connect to the site abcbb.9[Removed]23.com.

It then downloads file msimage.dat, which gathers machine information and sends into the above mentioned site.

It creates a registry run key to load itself at start up.

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

---------------------------------------------------------------------------------------------------

Update: 07/09/2010

There is a new variant of Generic PWS.o that could download malwares and monitor visited websites.

Drops the file:

%ProgramFiles%\internet explorer\setupapi.dll (also detected as Generic PWS.o)

it then opens the internet explorer and attempts to connect to the any of the following domain:

  • mvenfor.com
  • atlantisian.org
  • subcrawler.net
  • servicedm.cn
  • allworld20.net
  • google-marks.com

--------------------------------------------------------------------------

Update: 07/10/2008

A new variant of Generic PWS.o, it captures keystrokes .

Drop the following files :

  • %WinDir%\system32\beep.sys
  • %WinDir%\system32\ds.dat
  • %WinDir%\system32\gwin32.dll
  • %WinDir%\system32\swin32.dll
  • %WinDir%\randseed.rnd
  • Delete the following files of the system :
  • %WinDir%\system32\clb.dll
  • %WinDir%\system32\clbcatex.dll
  • %WinDir%\system32\clbcatq.dll
  • %WinDir%\system32\dllcache\clb.dll
  • %WinDir%\system32\dllcache\clbcatex.dll
  • %WinDir%\system32\dllcache\clbcatq.dll

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

Add the following registry keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FFFFFFFF-85A3-452b-B7A8-759AD9B42162}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-85A3-452b-B7A8-759AD9B42162}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\clbImageData
  • HKEY_LOCAL_MACHINE\SOFTWARE\MRSoft
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\clbdriver.sys
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\clbdriver.sys
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\clbdriver
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\clbdriver.sys
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\clbdriver

--------------------------------------------------------------------------

Update: 05/24/2007

A new variant of Generic PWS.o is being downloaded via malicious URLs. This variant when executed injects a DLL in explorer.exe memory space to download various online game password stealers.

The DLL is dropped in %programfiles%\Internet Explorer folder with the following names:

  • BinNice.dll
  • HiJack.dll
  • RomDrivers.dll

The trojan copies itself in %programfiles%\Internet Explorer folder with following names

  • BinNice.bak
  • HiJack.bak
  • RomDrivers.bak

The trojan attempts to download other online game password stealer trojans from the following malicous URLs. These URLs host exploits like MS06-014 and MS07-017 .

  • hxxp://16a.us
  • hxxp://7y7.us
  • hxxp://ws91.com
  • Registry changes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{09B68AD9-FF66-3E63-636B-B693E62F6236}\InProcServer32\: "%programfiles%\Internet Explorer\"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{09B68AD9-FF66-3E63-636B-B693E62F6236}:

Update: 04/20/2007

A variant of Generic PWS.o is being downloaded by Generic Downloader.ab. This variant is being injected into Explorer.exe process and tries to communicate with 81.29.241.20 to send captured information to the author.
It will be looking for POP, FTP, IMAP and ICQ passwords.
--------------------------------------------------------------------------

This is a password stealing trojan that captures keystrokes and sends notification and captured information to the author via HTTP. Online email and bank account information (username/password) is particularly vulnerable to this threat.

There are several variants of the trojan. The description is for a specific sample.

When run, the trojan copies itself to %Sysdir% directory. The following file names are used:

MSSVC.EXE

It creates a registry run key to load itself at Windows start up.

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    "winnsvc" = "msvc.exe"

Symptoms

Symptoms -

These symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants

Variants -

    N/A