McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.Subsari.10 (AVP)

• BKDR_SUBSARI10.A (Trend)

• Troj/Subsari-10 (Sophos)

Characteristics

There are several variants of this trojan so this description is a general guide.

When run, it copies itself to %WINDIR%\SYSTEM\RUNEXEC.EXE, and adds the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windowsexwec with the value %WINDIR%\SYSTEM\RUNEXEC.EXE.

Possible actions that could occur are:

• Log keystrokes/get passwords
• Monitors mouse activity
• Chat with the victim
• Get information about the victim's system
• Open/Close CD-ROM tray
• Launch Internet browser to open a page selected by the hacker
• Shutdown/Power-Off/LogOff Victim's system
• Send victim to specific URL

Symptoms

Symptoms which match the list of capabilities above and the existence of above-mentioned file or registry change.

Method of Infection

Running a trojanized executable file will install to the local system.

Removal

All Users :
Use specified engine and DAT files for detection and removal. Delete files which contain this detection.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.Subsari.10 (AVP)

• BKDR_SUBSARI10.A (Trend)

• Troj/Subsari-10 (Sophos)

Characteristics

Characteristics -

There are several variants of this trojan so this description is a general guide.

When run, it copies itself to %WINDIR%\SYSTEM\RUNEXEC.EXE, and adds the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windowsexwec with the value %WINDIR%\SYSTEM\RUNEXEC.EXE.

Possible actions that could occur are:

• Log keystrokes/get passwords
• Monitors mouse activity
• Chat with the victim
• Get information about the victim's system
• Open/Close CD-ROM tray
• Launch Internet browser to open a page selected by the hacker
• Shutdown/Power-Off/LogOff Victim's system
• Send victim to specific URL

Symptoms

Symptoms -

Symptoms which match the list of capabilities above and the existence of above-mentioned file or registry change.

Method of Infection

Method of Infection -

Running a trojanized executable file will install to the local system.

Removal -

Removal -

All Users :
Use specified engine and DAT files for detection and removal. Delete files which contain this detection.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A