McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Detection was added to cover for a malicious 32 bit PE file originally called "sysnt.exe ", having a filesize of 26112 bytes. The file is internally compressed with UPX.

Upon running the file, it runs silently, no gui messageboxes appear.

It doesn't copy/move itself into another area like the %windows\%system folder. Instead it creates a registry entry to call the binary from the original location it was run from.  On a testpc it was run from the c:\danger directory. The added registry entry was:

It can be controlled over Irc.

A file can be downloaded from a website and pushed onto the client's system where it can be run remotely by a hacker.

However it is also possible to flood someone with "udp" and or "syn" packets.

Symptoms

Presence of the file/registry as mentioned above

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

Detection was added to cover for a malicious 32 bit PE file originally called "sysnt.exe ", having a filesize of 26112 bytes. The file is internally compressed with UPX.

Upon running the file, it runs silently, no gui messageboxes appear.

It doesn't copy/move itself into another area like the %windows\%system folder. Instead it creates a registry entry to call the binary from the original location it was run from.  On a testpc it was run from the c:\danger directory. The added registry entry was:

It can be controlled over Irc.

A file can be downloaded from a website and pushed onto the client's system where it can be run remotely by a hacker.

However it is also possible to flood someone with "udp" and or "syn" packets.

Symptoms

Symptoms -

Presence of the file/registry as mentioned above

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A