McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

This is a remote access trojan. It uses Microsoft MSN Messenger to access victim's machine. There are several variants of the trojan. One variant of the trojan copies itself to Windows directory as "Windll32.dll", and sets the following registry key:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  "Windll32" = C:\WINDOWS\Windll32.exe"

It also changes the start page of Internet Explorer. Other variants do not make these changes.

When run, the trojan launches the MSN Messenger executable in the background, and listens for various commands. Hackers can use MSN Messenger from another machine to send commands to victim's machine. It can perform the following operations on the victim's machine:

• chat anonymously
• start/stop mouse trembling
• open/close CD-ROM tray
• shut down computer
• minimize/maximize all windows
• re-arrange mouse buttons
• copy text to clipboard
• receive text from clipboard
• go to URL link
• set IE startup page
• flash Num/Caps/Scroll-locks
• put screen upside down
• set various status on MSN Messenger
• try to capture the password
• perform various tasks such as changing person's nickname, sending message to all contacts, etc.

Symptoms

Existence of the server file in the Windows directory, or msmsgs.exe running in the background with no user interface.

Method of Infection

Execution of the trojan on local machine.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

This is a remote access trojan. It uses Microsoft MSN Messenger to access victim's machine. There are several variants of the trojan. One variant of the trojan copies itself to Windows directory as "Windll32.dll", and sets the following registry key:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  "Windll32" = C:\WINDOWS\Windll32.exe"

It also changes the start page of Internet Explorer. Other variants do not make these changes.

When run, the trojan launches the MSN Messenger executable in the background, and listens for various commands. Hackers can use MSN Messenger from another machine to send commands to victim's machine. It can perform the following operations on the victim's machine:

• chat anonymously
• start/stop mouse trembling
• open/close CD-ROM tray
• shut down computer
• minimize/maximize all windows
• re-arrange mouse buttons
• copy text to clipboard
• receive text from clipboard
• go to URL link
• set IE startup page
• flash Num/Caps/Scroll-locks
• put screen upside down
• set various status on MSN Messenger
• try to capture the password
• perform various tasks such as changing person's nickname, sending message to all contacts, etc.

Symptoms

Symptoms -

Existence of the server file in the Windows directory, or msmsgs.exe running in the background with no user interface.

Method of Infection

Method of Infection -

Execution of the trojan on local machine.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A