McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted.

This trojan is designed to capture information from user's searches and creates related popup windows or advertisements.

This trojan also connects to different site to download other Trojans.

Characteristics

As this detection covers many variants, the characteristics of this trojan with regards to the file names, registry keys, etc will differ, depending on the way in which the attacker had configured it. Hence, this is a general description.

This trojan drops a copy of itself using ramdom characters in Windows System Directory.

The Trojan set itself as a Browser helper Object and is usually injected to user's internet browser like Internet Explorer or Firefox.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{random CLSID}\InprocServer32\
(Default) = "Trojan path and Filename"

Some variants may inject to winlogon.exe and explorer.exe to stay resident.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{Trojan filename}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs "" "Trojan path and Filename"

It also creates the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System 

This Trojan tries to capture information from user's searches and creates related popup windows or advertisements.

It targets the user's searches from the following websites:

• youtube.com
  
• websearch.com
  
• usseek.com
  
• sensis.com.au
  
• searchmiracle.com
  
• neon.org.uk
  
• mirago.co.uk
  
• wesearchall.com
  
• search.about.com
  
• mywebsearch.com
  
• mysearch.myway.com
  
• netster.com
  
• lb1.netster.com
  
• vivisimo.com
  
• search.netzero.net
  
• search.netscape.com
  
• recherche.aol.fr
  
• query.nytimes.com
  
• mamma.com
  
• kanoodle.com
  
• jayde.com
  
• hotbot.com
  
• search.dmoz.org
  
• web.ask
  
• excite.co.jp
  
• url.searchuk.com
  
• uk.searchengine.com
  
• excite.co.jp
  
• infoseek.co.jp
  
• search.looksmart.com
  
• findsearch.net
  
• destinationadult.com
  
• 7search.com
  
• yahoo.com/search
  
• s.teoma.com
  
• search.xtramsn.co.nz
  
• search.wanadoo.co.uk
  
• search.sympatico.msn.ca
  
• search.msn
  
• search.earthlink.net
  
• search.daum.net
  
• reference.com
  
• instafinder.com
  
• goguides.org
  
• gigablast.com
  
• comcast.net
  
• bbc.co.uk
  
• ask.com/web
  
• altavista.com
  
• alltheweb.com
  
• alexa.com

This trojan attempts to connect to the following websites either to upload information or to download new version of the Trojan:

• http://65.243.[removed]/go
  
• http://85.12.[removed]
  
• http://85.17.166.[removed]/cn?sid=
  
• http://85.17.166.[removed]/dwn
  
• http://85.17.169.[removed]/forum
  
• http://83.149.105.[removed
  
• http://77.93.75.[removed]/search/qw.dll
  

This may then display fake error screen asking the user to download rouge system security tools like the Antivirus 360.

Symptoms

• Existence of Registry keys and value details above
• Ramdom filenames in Windows System Directory
• Outgoing traffic to remote server mentioned above
• Pop-up windows and advertisements

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted.

This trojan is designed to capture information from user's searches and creates related popup windows or advertisements.

This trojan also connects to different site to download other Trojans.

Characteristics

Characteristics -

As this detection covers many variants, the characteristics of this trojan with regards to the file names, registry keys, etc will differ, depending on the way in which the attacker had configured it. Hence, this is a general description.

This trojan drops a copy of itself using ramdom characters in Windows System Directory.

The Trojan set itself as a Browser helper Object and is usually injected to user's internet browser like Internet Explorer or Firefox.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{random CLSID}\InprocServer32\
(Default) = "Trojan path and Filename"

Some variants may inject to winlogon.exe and explorer.exe to stay resident.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{Trojan filename}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs "" "Trojan path and Filename"

It also creates the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System 

This Trojan tries to capture information from user's searches and creates related popup windows or advertisements.

It targets the user's searches from the following websites:

• youtube.com
  
• websearch.com
  
• usseek.com
  
• sensis.com.au
  
• searchmiracle.com
  
• neon.org.uk
  
• mirago.co.uk
  
• wesearchall.com
  
• search.about.com
  
• mywebsearch.com
  
• mysearch.myway.com
  
• netster.com
  
• lb1.netster.com
  
• vivisimo.com
  
• search.netzero.net
  
• search.netscape.com
  
• recherche.aol.fr
  
• query.nytimes.com
  
• mamma.com
  
• kanoodle.com
  
• jayde.com
  
• hotbot.com
  
• search.dmoz.org
  
• web.ask
  
• excite.co.jp
  
• url.searchuk.com
  
• uk.searchengine.com
  
• excite.co.jp
  
• infoseek.co.jp
  
• search.looksmart.com
  
• findsearch.net
  
• destinationadult.com
  
• 7search.com
  
• yahoo.com/search
  
• s.teoma.com
  
• search.xtramsn.co.nz
  
• search.wanadoo.co.uk
  
• search.sympatico.msn.ca
  
• search.msn
  
• search.earthlink.net
  
• search.daum.net
  
• reference.com
  
• instafinder.com
  
• goguides.org
  
• gigablast.com
  
• comcast.net
  
• bbc.co.uk
  
• ask.com/web
  
• altavista.com
  
• alltheweb.com
  
• alexa.com

This trojan attempts to connect to the following websites either to upload information or to download new version of the Trojan:

• http://65.243.[removed]/go
  
• http://85.12.[removed]
  
• http://85.17.166.[removed]/cn?sid=
  
• http://85.17.166.[removed]/dwn
  
• http://85.17.169.[removed]/forum
  
• http://83.149.105.[removed
  
• http://77.93.75.[removed]/search/qw.dll
  

This may then display fake error screen asking the user to download rouge system security tools like the Antivirus 360.

Symptoms

Symptoms -

• Existence of Registry keys and value details above
• Ramdom filenames in Windows System Directory
• Outgoing traffic to remote server mentioned above
• Pop-up windows and advertisements

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A