McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

This Trojan consists of a DLL file named either svchosts.dll or ioctl.dll that is placed in %SystemDir%

MD5 hash: 0x1A1592738BECF79995E0728399445843

It attempts to silently download and install Adware-Spyaxe , or to alarm the user into manually installing it using fake system alerts (see Symptoms).

During installation the following registry keys are added to ensure loading at system startup:

• HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\
  {A1D9D3F0-8C2A-9A1D-A376-2CACFB10AB72}
• HKEY_CURRENT_USER\Software\Classes\CLSID\
  {A1D9D3F0-8C2A-9A1D-A376-2CACFB10AB72}\InProcServer32
  "default"="C:\\WINDOWS\\system32\\svchosts.dll"
  "ThreadingModel"="Apartment"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Explorer\SharedTaskScheduler
  "{A1D9D3F0-8C2A-9A1D-A376-2CACFB10AB72}"="Reload Browse"

Symptoms

Display of alerts warning of spyware and prompts for user to download anti-spyware software.  These alerts are constructed so as to appear to be coming from the operating system (Windows Update, official system errors, etc.).

If the user clicks on these alerts, the Trojan opens a browser window to download and install Adware-Spyaxe from http://www.spyaxe.com/

The Trojan also attempts to silently download and install Adware-Spyaxe without user intervention.  Therefore another symptom may be sudden appearance of the software on the system, without being explicitly installed by the user.

Method of Infection

The DLL may be dropped and registered/loaded by another Trojan. Currently installation has been observed by Downloader-AQW .

Removal

Use current engine and DAT files for detection and removal.Removal requires removing the entry in the SYSTEM.INI file and restart to MS-DOS mode to delete the file manually from the Windows and Windows\System folders.

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

This Trojan consists of a DLL file named either svchosts.dll or ioctl.dll that is placed in %SystemDir%

MD5 hash: 0x1A1592738BECF79995E0728399445843

It attempts to silently download and install Adware-Spyaxe , or to alarm the user into manually installing it using fake system alerts (see Symptoms).

During installation the following registry keys are added to ensure loading at system startup:

• HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\
  {A1D9D3F0-8C2A-9A1D-A376-2CACFB10AB72}
• HKEY_CURRENT_USER\Software\Classes\CLSID\
  {A1D9D3F0-8C2A-9A1D-A376-2CACFB10AB72}\InProcServer32
  "default"="C:\\WINDOWS\\system32\\svchosts.dll"
  "ThreadingModel"="Apartment"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Explorer\SharedTaskScheduler
  "{A1D9D3F0-8C2A-9A1D-A376-2CACFB10AB72}"="Reload Browse"

Symptoms

Symptoms -

Display of alerts warning of spyware and prompts for user to download anti-spyware software.  These alerts are constructed so as to appear to be coming from the operating system (Windows Update, official system errors, etc.).

If the user clicks on these alerts, the Trojan opens a browser window to download and install Adware-Spyaxe from http://www.spyaxe.com/

The Trojan also attempts to silently download and install Adware-Spyaxe without user intervention.  Therefore another symptom may be sudden appearance of the software on the system, without being explicitly installed by the user.

Method of Infection

Method of Infection -

The DLL may be dropped and registered/loaded by another Trojan. Currently installation has been observed by Downloader-AQW .

Removal -

Removal -

Use current engine and DAT files for detection and removal.Removal requires removing the entry in the SYSTEM.INI file and restart to MS-DOS mode to delete the file manually from the Windows and Windows\System folders.

Variants

Variants -

N/A