McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

This is a remote access trojan. When run, it copies itself to Windows system directory as internat.dic and Windows directory as notepad.jmp. It creates and modifies several registry keys to load itself at startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run\windows=%Windows system path%internat.dic

• HKEY_CLASSES_ROOT\txtfile\shell\open\command\(Default)=
  %Windows path%notepad.jmp

• HKEY_CLASSES_ROOT\.dic\(Default)=exefile

• HKEY_CLASSES_ROOT\.jmp\(Default)=exefile

Symptoms

Existence of internat.dic in Windows system directory, notepad.jmp in Windows directory.

Method of Infection

Remote access trojans give an attacker a method for connecting to the compromised system and performing various tasks. This remote access trojan is designed to have several capabilities, such as:

• Copy, and delete files and folders
• Create folders
• List running programs and opened window titles
• Execute commands
• Download files
• Display messages on the screen of the remote machine

Removal

All Windows Users:
Use current engine and DAT files for detection and removal.

Manual Removal Instructions

Delete the registry key(s) as mentioned above
Information on deleting registry keys

Restart the computer

Delete the files mentioned above

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

This is a remote access trojan. When run, it copies itself to Windows system directory as internat.dic and Windows directory as notepad.jmp. It creates and modifies several registry keys to load itself at startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run\windows=%Windows system path%internat.dic

• HKEY_CLASSES_ROOT\txtfile\shell\open\command\(Default)=
  %Windows path%notepad.jmp

• HKEY_CLASSES_ROOT\.dic\(Default)=exefile

• HKEY_CLASSES_ROOT\.jmp\(Default)=exefile

Symptoms

Symptoms -

Existence of internat.dic in Windows system directory, notepad.jmp in Windows directory.

Method of Infection

Method of Infection -

Remote access trojans give an attacker a method for connecting to the compromised system and performing various tasks. This remote access trojan is designed to have several capabilities, such as:

• Copy, and delete files and folders
• Create folders
• List running programs and opened window titles
• Execute commands
• Download files
• Display messages on the screen of the remote machine

Removal -

Removal -

All Windows Users:
Use current engine and DAT files for detection and removal.

Manual Removal Instructions

Delete the registry key(s) as mentioned above
Information on deleting registry keys

Restart the computer

Delete the files mentioned above

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A