Content
Prova
- Type
- Trojan
- SubType
- Trojan
- Discovery Date
- 02/06/2002
- Length
- 690688 Bytes
- Minimum DAT
- 4217 (08/07/2002)
- Updated DAT
- 4245 (01/29/2003)
- Minimum Engine
- 5.1.00
- Description Added
- 08/14/2002
- Description Modified
- 08/16/2002 2:47 AM (PT)
Tab Navigation
Characteristics
This is a trojan which displays Italian messages, modifies the registry and shuts down the system after each reboot.
When executed it does the following:
The file Sistrai.exe is a utility which shuts down the system and we detect it as 'Reboot-Q trojan'
The following registry keys are modified so that the system is shut down after every reboot.
"Sistray" C:\Windows\Command\sistrai.exe
"Sistray" C:\Windows\Command\sistray.exe
It disables the Windows REGEDIT utility so that the user cannot edit the registry by setting the the following key value to 1:
It also removes the Run option from the Start menu as well as 'Favourites, 'Documents' and 'logoff' by setting the their key values to 1 from the following registry location.
Symptoms
Method of Infection
Execution of File Prova.exe (690688 bytes).
Removal
Manual Removal
This trojan will shut down the system after every reboot so therefore the user is unable to use the GUI scanner to remove it.
The steps below will allow the user to log into Windows after infection. It is also assumed that the user is using DATS lower than the DATS mentioned above.
If the user has DATS 4217 or above installed then they can use the COMMAND-LINE scanner to remove all detected files. Once all files have been removed they need to rename the following file:
Once renamed the user can then reboot the computer. This will gain the user access to their desktop.
Go to the section below marked 'To Restore Regedit.exe'
Instructions for those users using DATS below 4217
After the files have been renamed, Restart the computer. This will gain the user access to the desktop.
To restore Regedit.exe:
1. Click Start, point to Programs, point to Accessories, and then click Notepad.
2. Copy the following text and paste it into the Notepad window.
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000
3. Click File, and click Save. Save the file to the Desktop as RegedFix.reg.
4. Exit Notepad.
5. Locate and double-click the RegedFix.reg icon on the desktop to import the changes into the registry.
6. When you are prompted, click Yes, and then click OK.
7. Restart the computer.
This should allow the user to access the Registry editor and amend the Keys changed by the trojan.
From C:\Windows\ run Regedit.exe.
Navigate to the following key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
and reset the values for NoLogoff and Norun to 0.
Restart the computer.
Variants
Variants
N/A
All Information
Overview -
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Aliases
- Trojan.prova (NAV)
Characteristics
Characteristics -
This is a trojan which displays Italian messages, modifies the registry and shuts down the system after each reboot.
When executed it does the following:
The file Sistrai.exe is a utility which shuts down the system and we detect it as 'Reboot-Q trojan'
The following registry keys are modified so that the system is shut down after every reboot.
"Sistray" C:\Windows\Command\sistrai.exe
"Sistray" C:\Windows\Command\sistray.exe
It disables the Windows REGEDIT utility so that the user cannot edit the registry by setting the the following key value to 1:
It also removes the Run option from the Start menu as well as 'Favourites, 'Documents' and 'logoff' by setting the their key values to 1 from the following registry location.
Symptoms
Symptoms -
Method of Infection
Method of Infection -
Execution of File Prova.exe (690688 bytes).
Removal -
Removal -
Manual Removal
This trojan will shut down the system after every reboot so therefore the user is unable to use the GUI scanner to remove it.
The steps below will allow the user to log into Windows after infection. It is also assumed that the user is using DATS lower than the DATS mentioned above.
If the user has DATS 4217 or above installed then they can use the COMMAND-LINE scanner to remove all detected files. Once all files have been removed they need to rename the following file:
Once renamed the user can then reboot the computer. This will gain the user access to their desktop.
Go to the section below marked 'To Restore Regedit.exe'
Instructions for those users using DATS below 4217
After the files have been renamed, Restart the computer. This will gain the user access to the desktop.
To restore Regedit.exe:
1. Click Start, point to Programs, point to Accessories, and then click Notepad.
2. Copy the following text and paste it into the Notepad window.
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000
3. Click File, and click Save. Save the file to the Desktop as RegedFix.reg.
4. Exit Notepad.
5. Locate and double-click the RegedFix.reg icon on the desktop to import the changes into the registry.
6. When you are prompted, click Yes, and then click OK.
7. Restart the computer.
This should allow the user to access the Registry editor and amend the Keys changed by the trojan.
From C:\Windows\ run Regedit.exe.
Navigate to the following key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
and reset the values for NoLogoff and Norun to 0.
Restart the computer.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
