McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Adware/TopSpyware (Panda)

• security risk named W32/Agent.MN (Frisk)

• Spyre.A (Grisoft)

• TopantiL (MkS)

• TR/TopAntiSpyware.L (H+BEDV)

• Troj/Spyre-C (Sophos)

• TROJ_TOPANTSPY.C (Trend)

• Trojan.Fakealert (DrWeb)

• Trojan.TopAntiSpyware.B (VirusBuster)

• Trojan.TopAntiSpyware.L (Softwin)

• Trojan.Win32.TopAntiSpyware.L (Ikarus)

• Trojan.Win32.TopAntiSpyware.l (Kaspersky)

• Trojan.Win32.TopAntiSpyware.L (Prognet)

• Win32.DlExaw.O (CA VET)

• Win32/DlExaw.36864!Trojan (CA eTrust)

• Win32/TopAntiSpyware.L (Eset)

• Win32:AntiSpy [Adw] (Alwil)

Characteristics

Detection was added to cover for a malicious 32 bit PE file originally called "winnook.exe " , having a filesize of 36864 bytes. The file is not internally compressed with a packer.

Upon execution, the windows desktop background becomes black and in the center a deceiving text appears about being in danger:

Clicking on an area in the fake text takes on to a commercial website about AV software, namely antivirus-gold.com.

The malicious process winnook.exe is visible in the windows task manager and can also be killed manually but the black background with the warning remains.

It also copies itself to the %windows\%system directory and creates a registry entry to launch itself upon systemstart:

• HKCU\Software\Microsoft\Windows\CurrentVersion\Run "Intel system tool"  , with Data: c:\winnt\system32\winnook.exe

The black desktop arises from the dropped file c:\winnt\desktop.html , filesize 1511 bytes.

The above behaviour and the deceiving text pushes this sample into the trojan area.

Symptoms

• Presence of the file/filesize as mentioned above
• Black windows desktop appearing with deceiving text about being in danger
• Connects to antivirus-gold.com when clicking on the text.

Method of Infection

• Manual execution of the binary, there's no exploit associated with the binary.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Adware/TopSpyware (Panda)

• security risk named W32/Agent.MN (Frisk)

• Spyre.A (Grisoft)

• TopantiL (MkS)

• TR/TopAntiSpyware.L (H+BEDV)

• Troj/Spyre-C (Sophos)

• TROJ_TOPANTSPY.C (Trend)

• Trojan.Fakealert (DrWeb)

• Trojan.TopAntiSpyware.B (VirusBuster)

• Trojan.TopAntiSpyware.L (Softwin)

• Trojan.Win32.TopAntiSpyware.L (Ikarus)

• Trojan.Win32.TopAntiSpyware.l (Kaspersky)

• Trojan.Win32.TopAntiSpyware.L (Prognet)

• Win32.DlExaw.O (CA VET)

• Win32/DlExaw.36864!Trojan (CA eTrust)

• Win32/TopAntiSpyware.L (Eset)

• Win32:AntiSpy [Adw] (Alwil)

Characteristics

Characteristics -

Detection was added to cover for a malicious 32 bit PE file originally called "winnook.exe " , having a filesize of 36864 bytes. The file is not internally compressed with a packer.

Upon execution, the windows desktop background becomes black and in the center a deceiving text appears about being in danger:

Clicking on an area in the fake text takes on to a commercial website about AV software, namely antivirus-gold.com.

The malicious process winnook.exe is visible in the windows task manager and can also be killed manually but the black background with the warning remains.

It also copies itself to the %windows\%system directory and creates a registry entry to launch itself upon systemstart:

• HKCU\Software\Microsoft\Windows\CurrentVersion\Run "Intel system tool"  , with Data: c:\winnt\system32\winnook.exe

The black desktop arises from the dropped file c:\winnt\desktop.html , filesize 1511 bytes.

The above behaviour and the deceiving text pushes this sample into the trojan area.

Symptoms

Symptoms -

• Presence of the file/filesize as mentioned above
• Black windows desktop appearing with deceiving text about being in danger
• Connects to antivirus-gold.com when clicking on the text.

Method of Infection

Method of Infection -

• Manual execution of the binary, there's no exploit associated with the binary.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A