McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Trojan.Win32.Rewt (AVP)

• Trojan:Win32/Rewt (GeCAD RAV)

Characteristics

This is an IRC remote access trojan. When run, it creates the following registry key to load itself at Windows startup:

• HEKY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  "Services" = (trojan file name)

The trojan creates a file "win.gsr" in the Windows directory. It is a text configuration file.

The trojan connects to the following IRC server at port 6667:

• irc2.secsup.org

It attempts to join a specific IRC channel on the server using a specific nick name. It opens port 1298 on local machine and listens on the port. Once connection is made. Attacker can view victims on the IRC channel and perform certain activities on the victim's machine, which includes remote access or denial of service actions.

Symptoms

Existence of registry key or file mentioned above.
Port 1298 is left open on the machine.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Trojan.Win32.Rewt (AVP)

• Trojan:Win32/Rewt (GeCAD RAV)

Characteristics

Characteristics -

This is an IRC remote access trojan. When run, it creates the following registry key to load itself at Windows startup:

• HEKY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  "Services" = (trojan file name)

The trojan creates a file "win.gsr" in the Windows directory. It is a text configuration file.

The trojan connects to the following IRC server at port 6667:

• irc2.secsup.org

It attempts to join a specific IRC channel on the server using a specific nick name. It opens port 1298 on local machine and listens on the port. Once connection is made. Attacker can view victims on the IRC channel and perform certain activities on the victim's machine, which includes remote access or denial of service actions.

Symptoms

Symptoms -

Existence of registry key or file mentioned above.
Port 1298 is left open on the machine.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A