Content

W32/Trats

Type
Virus
SubType
Win32
Discovery Date
12/10/2007
Length
varies
Minimum DAT
5182 (12/10/2007)
Updated DAT
5550 (03/11/2009)
Minimum Engine
5.1.00
Description Added
12/10/2007
Description Modified
01/04/2008 3:40 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

W32/Trats is a file infecting virus which downloads other malware and displays annoying pop-ups.


On execution, W32/Trats creates the following files:

  • %System%\ttstv.ini
  • %System%\ttstv.ini2
  • %System%\vtstt.dll
  • %System%\vtstt.exe


The following registry key is created to ensure activation of the dropped executable on reboot:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load: "%System%\vtstt.exe"


The dropped dll is then registered as a Browser Helper Object:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{<RANDOM-ID>}\InprocServer32\: "%System%\vtstt.dll"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{<RANDOM-ID>}

(Where %System% refers to the System32 folder, e.g. C:\WINNT\system32)


The virus then infects executables by embedding the target file within its body and ensuring one of its resources points to the now embedded target file. The virus only looks to infect executables listed under the run registry entry or executables present in the startup folder of the user. When an infected file runs, the original file is dropped in the same folder with a space inserted before its extension. For example: if the infected file name is hkcmd.exe, the original clean file will be dropped as hkcmd .exe


This malware may also download other trojans such as variants of Vundo Trojan and other rouge anti-spyware programs (such as variants of WinFixer). It may also display browser pop-ups. It tries to connect to the following remote computer to obtain information about advertisements to display:

  • 85.15.43.77

 

 

Symptoms

  • Presence of files as mentioned
  • Presence of registry entries as mentioned
  • Increase in the size of executables that were listed under run registry or were in startup folder
  • Unwanted browser pop-ups
  • Network activity with 85.15.43.77

 

Method of Infection

W32/Trats is a file infecting virus. Infection starts with manual execution of the binary. This virus may also spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

 

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

W32/Trats is a file infecting virus which can also download other malware and display annoying pop-ups.

Aliases

  • W32.Trats (Symantec)
  • W32/VirtInf-B (Sophos)

Characteristics

Characteristics -

W32/Trats is a file infecting virus which downloads other malware and displays annoying pop-ups.


On execution, W32/Trats creates the following files:

  • %System%\ttstv.ini
  • %System%\ttstv.ini2
  • %System%\vtstt.dll
  • %System%\vtstt.exe


The following registry key is created to ensure activation of the dropped executable on reboot:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load: "%System%\vtstt.exe"


The dropped dll is then registered as a Browser Helper Object:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{<RANDOM-ID>}\InprocServer32\: "%System%\vtstt.dll"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{<RANDOM-ID>}

(Where %System% refers to the System32 folder, e.g. C:\WINNT\system32)


The virus then infects executables by embedding the target file within its body and ensuring one of its resources points to the now embedded target file. The virus only looks to infect executables listed under the run registry entry or executables present in the startup folder of the user. When an infected file runs, the original file is dropped in the same folder with a space inserted before its extension. For example: if the infected file name is hkcmd.exe, the original clean file will be dropped as hkcmd .exe


This malware may also download other trojans such as variants of Vundo Trojan and other rouge anti-spyware programs (such as variants of WinFixer). It may also display browser pop-ups. It tries to connect to the following remote computer to obtain information about advertisements to display:

  • 85.15.43.77

 

 

Symptoms

Symptoms -

  • Presence of files as mentioned
  • Presence of registry entries as mentioned
  • Increase in the size of executables that were listed under run registry or were in startup folder
  • Unwanted browser pop-ups
  • Network activity with 85.15.43.77

 

Method of Infection

Method of Infection -

W32/Trats is a file infecting virus. Infection starts with manual execution of the binary. This virus may also spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

 

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A