McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

This is a remote access trojan. Different packed versions of the trojan have been received.

When run, the trojan copies itself to Windows directory. The file name can be IEXPLORy.EXE or IEXPLORz.EXE depending on different packed version running. It creates the following registry key in order to run at Windows start up:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  "MSTestNB" = C:\WINDOWS\IEXPLORy.EXE ( or IEXPLORz.EXE)

The trojan searches current running processes and terminates processes with names in the following list. It also overwrites the process file with the trojan file itself.

• ZONEALARM.EXE
• ZAPRO.EXE
• VSMON.EXE
• MINILOG.EXE
• FRW.EXE
• CPD.EXE
• IAMAPP.EXE
• IAMSERV.EXE
• BLACKICE.EXE
• PERSFW.EXE
• SMC.EXE
• SUBSEVEN_FIREWALL_VERSION_1.0.EXE
• PCCPFW.EXE
• VSHWIN32.EXE
• AVCONSOL.EXE
• MGAVRTCL.EXE
• MGAVRTE.EXE
• NAVAPW32.EXE
• AVSYNMGR.EXE
• WEBSCANX.EXE
• ALOGSERV.EXE
• CMGRDIAN.EXE
• APVXDWIN.EXE
• PAVPROXY.EXE
• REALMON.EXE
• PCCCLIENT.EXE
• PCCIOMON.EXE
• POP3TRAP.EXE
• TMPROXY.EXE

The trojan deletes registry keys used by above processes.

The trojan opens port 23433 and listens on the port. It sends notification message to various web sites via HTTP. The messages includes victim machine ip address, port opened, machine name, trojan service name and password info.

Symptoms

Existence of files and registry keys mentioned above. Port 23433 is left open.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal

Use specified engine and DAT files for detection and removal. Delete any file which contains this detection.

Overwritten/deleted files must be restored from backup or reinstalled. Alternatively system restore can be used to restore deleted files.

AVERT recommends to users that they not trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

This is a remote access trojan. Different packed versions of the trojan have been received.

When run, the trojan copies itself to Windows directory. The file name can be IEXPLORy.EXE or IEXPLORz.EXE depending on different packed version running. It creates the following registry key in order to run at Windows start up:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  "MSTestNB" = C:\WINDOWS\IEXPLORy.EXE ( or IEXPLORz.EXE)

The trojan searches current running processes and terminates processes with names in the following list. It also overwrites the process file with the trojan file itself.

• ZONEALARM.EXE
• ZAPRO.EXE
• VSMON.EXE
• MINILOG.EXE
• FRW.EXE
• CPD.EXE
• IAMAPP.EXE
• IAMSERV.EXE
• BLACKICE.EXE
• PERSFW.EXE
• SMC.EXE
• SUBSEVEN_FIREWALL_VERSION_1.0.EXE
• PCCPFW.EXE
• VSHWIN32.EXE
• AVCONSOL.EXE
• MGAVRTCL.EXE
• MGAVRTE.EXE
• NAVAPW32.EXE
• AVSYNMGR.EXE
• WEBSCANX.EXE
• ALOGSERV.EXE
• CMGRDIAN.EXE
• APVXDWIN.EXE
• PAVPROXY.EXE
• REALMON.EXE
• PCCCLIENT.EXE
• PCCIOMON.EXE
• POP3TRAP.EXE
• TMPROXY.EXE

The trojan deletes registry keys used by above processes.

The trojan opens port 23433 and listens on the port. It sends notification message to various web sites via HTTP. The messages includes victim machine ip address, port opened, machine name, trojan service name and password info.

Symptoms

Symptoms -

Existence of files and registry keys mentioned above. Port 23433 is left open.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal -

Removal -

Use specified engine and DAT files for detection and removal. Delete any file which contains this detection.

Overwritten/deleted files must be restored from backup or reinstalled. Alternatively system restore can be used to restore deleted files.

AVERT recommends to users that they not trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Variants

Variants -

N/A