McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Trojan-Downloader.Win32.Agent.ns (AVP)

• W32.Desktophijack (Symantec)

• Win32.Alemod.A (CA)

Characteristics

This detection covers a virus that overwrites system file for the purpose of information stealing.

The virus might come bundled with other programs.  When run, the following file is created in Windows system directory (%SysDir%):

• oleadm.dll (6,657)

The virus copies %SysDir%\wininet.dll as %SysDir%\oleadm32.dll and modifies its code.

The following registry keys are created/modified:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
  "AllowProtectedRenames" = 1
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
  "PendingFileRenameOperations" = \??\C:\windows\system32\oleadm32.dll
  !\??\C:\windows\system32\wininet.dll

After the machine is rebooted, wininet.dll file is replaced with oleadm32.dll. Wininet.dll is an important system file, it is loaded with executables that make network calls.  The replaced dll logs these network calls and sends the log file to specific web sites.  The virus can download/execute files on local machine.

Symptoms

Existence of the files/Registry keys detailed above

Method of Infection

This is a file infecting virus which spreads by executing an infected file on the computer. The infected file may come from a multitude of sources including: floppy diskettes, downloads through an online service, network, etc. Once the infected file is executed, the virus may activate.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Trojan-Downloader.Win32.Agent.ns (AVP)

• W32.Desktophijack (Symantec)

• Win32.Alemod.A (CA)

Characteristics

Characteristics -

This detection covers a virus that overwrites system file for the purpose of information stealing.

The virus might come bundled with other programs.  When run, the following file is created in Windows system directory (%SysDir%):

• oleadm.dll (6,657)

The virus copies %SysDir%\wininet.dll as %SysDir%\oleadm32.dll and modifies its code.

The following registry keys are created/modified:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
  "AllowProtectedRenames" = 1
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
  "PendingFileRenameOperations" = \??\C:\windows\system32\oleadm32.dll
  !\??\C:\windows\system32\wininet.dll

After the machine is rebooted, wininet.dll file is replaced with oleadm32.dll. Wininet.dll is an important system file, it is loaded with executables that make network calls.  The replaced dll logs these network calls and sends the log file to specific web sites.  The virus can download/execute files on local machine.

Symptoms

Symptoms -

Existence of the files/Registry keys detailed above

Method of Infection

Method of Infection -

This is a file infecting virus which spreads by executing an infected file on the computer. The infected file may come from a multitude of sources including: floppy diskettes, downloads through an online service, network, etc. Once the infected file is executed, the virus may activate.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A