McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

This is a password stealing trojan that captures keystrokes and sends notification and captured information to the author via email. The trojan is able to perform the following actions:

• download and execute files
• take screenshots
• capture keystrokes
• read systeminformation
• read the configuration of Outlook
• read ICQ configuration
• kill running processes

When run, the trojan displays this dialog:

This dialog is for obfuscation only, the trojan installs itself anyway to the %windir%\system32 directory, using the filename:

• " svchost.exe"   Note: There's a space in front of the name!

It creates a registry run key to load itself at Windows start up.

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "regedit" = "C:\WINNT\System32\ svchost.exe" ccRegVfy
  

The trojan also creates a log file in %windir%\system32 directory. The following file names are used:

• CFXP.DRV
• CHJO.DRV
• MMSYSTEM.DLX
• OLECLI.DLX
• OLECLISystemUpdate_[date] [time].DLX

The trojan takes screenshots and saves them as OLECLISystemUpdate_[date] [time].DLX and inserts the current date and time into the filename. These files are harmless JPEG files.

Symptoms

Existence of files and registry keys mentioned above.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

This is a password stealing trojan that captures keystrokes and sends notification and captured information to the author via email. The trojan is able to perform the following actions:

• download and execute files
• take screenshots
• capture keystrokes
• read systeminformation
• read the configuration of Outlook
• read ICQ configuration
• kill running processes

When run, the trojan displays this dialog:

This dialog is for obfuscation only, the trojan installs itself anyway to the %windir%\system32 directory, using the filename:

• " svchost.exe"   Note: There's a space in front of the name!

It creates a registry run key to load itself at Windows start up.

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "regedit" = "C:\WINNT\System32\ svchost.exe" ccRegVfy
  

The trojan also creates a log file in %windir%\system32 directory. The following file names are used:

• CFXP.DRV
• CHJO.DRV
• MMSYSTEM.DLX
• OLECLI.DLX
• OLECLISystemUpdate_[date] [time].DLX

The trojan takes screenshots and saves them as OLECLISystemUpdate_[date] [time].DLX and inserts the current date and time into the filename. These files are harmless JPEG files.

Symptoms

Symptoms -

Existence of files and registry keys mentioned above.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A