McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.Ptsnoop (AVP)

• BKDR_PTSNOOP (Trend)

Characteristics

This detection is for a remote access trojan written in MSVB. There are multiple versions of the trojan.

The trojan is intended to download pages from specific URLs, all within the following domain:

CJB.NET

Upon execution, the trojan copies itself to %SysDir% using a misleading filename. For example:

C:\WINDOWS\SYSTEM\PTSNOOP.EXE

An entry is added to the WIN.INI file to hook system startup:

[windows]
"load" = C:\WINDOWS\SYSTEM\PTSNOOP.EXE

The trojan registers itself as a service process, and so cannot be seen when viewing the task list.

Symptoms

• Connections to unexpected URLs (within CJB.NET domain) when connected to the Internet.
• Existence of the file and WIN.INI hook detailed above.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.Ptsnoop (AVP)

• BKDR_PTSNOOP (Trend)

Characteristics

Characteristics -

This detection is for a remote access trojan written in MSVB. There are multiple versions of the trojan.

The trojan is intended to download pages from specific URLs, all within the following domain:

CJB.NET

Upon execution, the trojan copies itself to %SysDir% using a misleading filename. For example:

C:\WINDOWS\SYSTEM\PTSNOOP.EXE

An entry is added to the WIN.INI file to hook system startup:

[windows]
"load" = C:\WINDOWS\SYSTEM\PTSNOOP.EXE

The trojan registers itself as a service process, and so cannot be seen when viewing the task list.

Symptoms

Symptoms -

• Connections to unexpected URLs (within CJB.NET domain) when connected to the Internet.
• Existence of the file and WIN.INI hook detailed above.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A