Content
PWS-Narod
- Type
- Trojan
- SubType
- Password
- Discovery Date
- 06/01/2003
- Length
- 9216 Bytes.
- Minimum DAT
- 4271 (06/11/2003)
- Updated DAT
- 5368 (08/22/2008)
- Minimum Engine
- 5.1.00
- Description Added
- 07/10/2003
- Description Modified
- 07/10/2003 11:21 AM (PT)
Tab Navigation
Characteristics
This password stealing trojan attempts to retrive local machine information and email it to the author.
When run, the trojan copies itself to the %Windir% folder as dllreg.exe.
It also copies itself to the %Systemdir% folder as load32.exe and vxdmgr32.exe.
This trojan also disables several anti-virus and firewall products. The file responsible for this is sysdrv.exe which is found in the the %Windir% folder. This file is already detected as 'ProcKill-A' since 4235 DATS.
In order to run automatically after a restart it copies itself to the Windows Startup folder as rundllw.exe and the following registry keys a re created:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "load32"
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices "ZoneAlarm 2.99"
It adds a run entry to the windows section in the WIN.INI file pointing to dllreg32.exe and modifies the shell entry in the boot section of the SYSTEM.INI file to point to vxdmgr32.exe.
Symptoms
Method of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.
Removal
All Users:
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Characteristics
Characteristics -
This password stealing trojan attempts to retrive local machine information and email it to the author.
When run, the trojan copies itself to the %Windir% folder as dllreg.exe.
It also copies itself to the %Systemdir% folder as load32.exe and vxdmgr32.exe.
This trojan also disables several anti-virus and firewall products. The file responsible for this is sysdrv.exe which is found in the the %Windir% folder. This file is already detected as 'ProcKill-A' since 4235 DATS.
In order to run automatically after a restart it copies itself to the Windows Startup folder as rundllw.exe and the following registry keys a re created:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "load32"
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices "ZoneAlarm 2.99"
It adds a run entry to the windows section in the WIN.INI file pointing to dllreg32.exe and modifies the shell entry in the boot section of the SYSTEM.INI file to point to vxdmgr32.exe.
Symptoms
Symptoms -
Method of Infection
Method of Infection -
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.
Removal -
Removal -
All Users:
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
