McAfee > Theat Center > Virus Detail Page

Overview

This detection is for a trojan which attempts to download malicous files from remote sites.

Characteristics

Upon execution, the trojan drops a rootkit.

• C:\(random hex digits).dat

The following registry keys are added:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\(random hex digits)
  "DisplayName" = (random hex digits)
  "ErrorControl" = 0
  "ImagePath" = \??\C:\(random hex digits).dat
  "Type" = 1
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\(random hex digits)
  "DisplayName" = (random hex digits)
  "ErrorControl" = 0
  "ImagePath" = \??\C:\(random hex digits).dat
  "Type" = 1

Then it launches a hidden "iexplore.exe" process and injects a code into the process.
The injected code attempts to download a file list from the remote site.

• http://www.tama[removed].cn/v.txt

Then it downloads listed files into the following directory and runs those files.

• %UserProfile%\Local Settings\Temp\

Note: %UserProfile% is a variable location and refers to the user's profile folder, typically C:\Documents and Settings\%user%.

 

Symptoms

• Presence of the files and registry entries listed previously

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include email, IRC, peer-to-peer networks, newsgroup postings, etc.

 

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This detection is for a trojan which attempts to download malicous files from remote sites.

Characteristics

Characteristics -

Upon execution, the trojan drops a rootkit.

• C:\(random hex digits).dat

The following registry keys are added:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\(random hex digits)
  "DisplayName" = (random hex digits)
  "ErrorControl" = 0
  "ImagePath" = \??\C:\(random hex digits).dat
  "Type" = 1
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\(random hex digits)
  "DisplayName" = (random hex digits)
  "ErrorControl" = 0
  "ImagePath" = \??\C:\(random hex digits).dat
  "Type" = 1

Then it launches a hidden "iexplore.exe" process and injects a code into the process.
The injected code attempts to download a file list from the remote site.

• http://www.tama[removed].cn/v.txt

Then it downloads listed files into the following directory and runs those files.

• %UserProfile%\Local Settings\Temp\

Note: %UserProfile% is a variable location and refers to the user's profile folder, typically C:\Documents and Settings\%user%.

 

Symptoms

Symptoms -

• Presence of the files and registry entries listed previously

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include email, IRC, peer-to-peer networks, newsgroup postings, etc.

 

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A