Content

Enfal!5B1CAA26

Type
Trojan
SubType
Win32
Discovery Date
02/09/2007
Length
53,248 bytes
Minimum DAT
4840 (08/29/2006)
Updated DAT
4960 (02/09/2007)
Minimum Engine
5.1.00
Description Added
02/09/2007
Description Modified
02/09/2007 2:18 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This description is for the one of the trojan executables that is meant to be dropped by the threat described at Exploit-MSWord.f

On execution this trojan deletes itself and writes into explorer.exe processes' memory. Then the trojan creates copies of itself as:

    • %system%\backup0129.exe
    • %system%\pop3.exe

To automatically activate the trojan on every reboot it adds %system%\pop3.exe to the following registry entry:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit:

explorer.exe starts trying to connect to:

    • ms.winibm.com

Trojan's code suggests that it may download, execute files and upload information about the compromised machine.

Symptoms

  • Presence of files and registry entries as described
  • explorer.exe process trying to connect to ms.winibm.com

Method of Infection

This trojan is meant to be dropped by the threat described at Exploit-MSWord.f.

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

 

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This description is for the one of the trojan executables that is intended to be dropped by the threat
described as Exploit-MSWord.f

Aliases

  • BackDoor.Mask (Doctor Web)
  • Trj/Qhost.ER (Panda)
  • Troj/Sharp-R (Sophos)

Characteristics

Characteristics -

This description is for the one of the trojan executables that is meant to be dropped by the threat described at Exploit-MSWord.f

On execution this trojan deletes itself and writes into explorer.exe processes' memory. Then the trojan creates copies of itself as:

    • %system%\backup0129.exe
    • %system%\pop3.exe

To automatically activate the trojan on every reboot it adds %system%\pop3.exe to the following registry entry:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit:

explorer.exe starts trying to connect to:

    • ms.winibm.com

Trojan's code suggests that it may download, execute files and upload information about the compromised machine.

Symptoms

Symptoms -

  • Presence of files and registry entries as described
  • explorer.exe process trying to connect to ms.winibm.com

Method of Infection

Method of Infection -

This trojan is meant to be dropped by the threat described at Exploit-MSWord.f.

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

 

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A