McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

This trojan is designed to change your DNS entries, to send you to a malicious DNS server for the purposes of phishing.  It has been mass-spammed with the filename PayPal-2.5.200-MSWin32-x86-2005.exe .

When run, this trojan does not stay in memory, it does not copy itself to any other locations or create any references to itself in startup locations.   

This program modifies registry entries pertaining to DNS servers to point to the following IP address:

• 193.227.227.218

Symptoms

Having DNS entries in any of your network adaptors with the following value:

• 193.227.227.218

• 193.227.227.218

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc. This file has been seen mass-spammed via email with the filename PayPal-2.5.200-MSWin32-x86-2005.exe .

Removal

All Users :
Use specified engine and DAT files for detection and removal. Additional Steps:

Care needs to be taken when cleaning machines infected with this trojan because of the modifications made to the TCPIP interface settings. You need to go to the network setting on your machine (via Control Panel) and revert back your old DNS settings. After doing the required changes, you will be prompted with a message box similar to the following:

To do a complete recovery, some modifications are required to the Windows Registry, restoring the keys to their original values. The interface settings modified are within the following key:

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

This trojan is designed to change your DNS entries, to send you to a malicious DNS server for the purposes of phishing.  It has been mass-spammed with the filename PayPal-2.5.200-MSWin32-x86-2005.exe .

When run, this trojan does not stay in memory, it does not copy itself to any other locations or create any references to itself in startup locations.   

This program modifies registry entries pertaining to DNS servers to point to the following IP address:

• 193.227.227.218

Symptoms

Symptoms -

Having DNS entries in any of your network adaptors with the following value:

• 193.227.227.218

• 193.227.227.218

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc. This file has been seen mass-spammed via email with the filename PayPal-2.5.200-MSWin32-x86-2005.exe .

Removal -

Removal -

All Users :
Use specified engine and DAT files for detection and removal. Additional Steps:

Care needs to be taken when cleaning machines infected with this trojan because of the modifications made to the TCPIP interface settings. You need to go to the network setting on your machine (via Control Panel) and revert back your old DNS settings. After doing the required changes, you will be prompted with a message box similar to the following:

To do a complete recovery, some modifications are required to the Windows Registry, restoring the keys to their original values. The interface settings modified are within the following key:

Variants

Variants -

N/A