McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

This trojan downloads a list of e-mail addresses and spam content from website wm.maxysearch.info. It then sends out the mails using its own SMTP engine, to the addresses in that list. The 'from' field, subject and body of mail can vary depending upon the spam content.

An example of such a mail can be

From: "iaremirov" <ovywqxocwuz@hotmail.com> To: hisride@yahoo.com Subject: incredible prices for best drugs! Wide r@nge 0f mo$t popular generic$ with low prices: /iagra, Cial1s, Propeci@, Glucophage, /ioxx, Celebrex, Meridia, Zoloft, etcViagra is used for the treatment of male impotency. The active ingredient in Viagra is a specific inhibitor of phosphodiesterase 5. Phosphodiesterase 5 (PDE5) cleaves the ring form of cyclic GMP (cGMP) a cellular second messenger similar to cAMP. The inhibition of the phosphodiesterase allows for the persistence of cGMP which promotes the effects of cGMP production. In this case, it allows for increased blood flow into the penis which may result in an erection.This is the lowest price for Viagra online! At 0ur site you p@y only $1.60 per do$e! including all fees and charges. If you'd like to see prices for other medicines, visit 0ur site! Remove your email <link>   

This trojan does not create any registry or files. It is observed to come bundled with other trojans, which may execute this trojan for spam.

Symptoms

There is no obvious symptom of presence of the trojan as it does not create any registry or file changes. However, the network traffic and CPU utillization increases if the trojan is running.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial.  Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

This trojan downloads a list of e-mail addresses and spam content from website wm.maxysearch.info. It then sends out the mails using its own SMTP engine, to the addresses in that list. The 'from' field, subject and body of mail can vary depending upon the spam content.

An example of such a mail can be

From: "iaremirov" <ovywqxocwuz@hotmail.com> To: hisride@yahoo.com Subject: incredible prices for best drugs! Wide r@nge 0f mo$t popular generic$ with low prices: /iagra, Cial1s, Propeci@, Glucophage, /ioxx, Celebrex, Meridia, Zoloft, etcViagra is used for the treatment of male impotency. The active ingredient in Viagra is a specific inhibitor of phosphodiesterase 5. Phosphodiesterase 5 (PDE5) cleaves the ring form of cyclic GMP (cGMP) a cellular second messenger similar to cAMP. The inhibition of the phosphodiesterase allows for the persistence of cGMP which promotes the effects of cGMP production. In this case, it allows for increased blood flow into the penis which may result in an erection.This is the lowest price for Viagra online! At 0ur site you p@y only $1.60 per do$e! including all fees and charges. If you'd like to see prices for other medicines, visit 0ur site! Remove your email <link>   

This trojan does not create any registry or files. It is observed to come bundled with other trojans, which may execute this trojan for spam.

Symptoms

Symptoms -

There is no obvious symptom of presence of the trojan as it does not create any registry or file changes. However, the network traffic and CPU utillization increases if the trojan is running.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial.  Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc

Removal -

Removal -

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants

Variants -

N/A