McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

This trojan connects to a prohosting.com user website to download a file named counter. The content of this file is saved locally as OUTPUT.EXE and run. At the time of this writing the downloaded file was a backdoor trojan, BackDoor-AML.

The downloader creates 2 registry keys:

• HKEY_CLASSES_ROOT\.inr\pzeoMm6erZrondFQ "Time"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run ".inr\pzeoMm6erZrondFQ"=%Trojan Path%

Symptoms

Presence of BackDoor-AML.

Method of Infection

This trojan has been blocked in the wild; attached to a number of email messages.

Removal

All Windows Users:
Use current engine and DAT files for detection and removal.

Manual Removal Instructions

Delete the registry key(s) as mentioned above
Information on deleting registry keys

Restart the computer

Delete the files mentioned above

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

This trojan connects to a prohosting.com user website to download a file named counter. The content of this file is saved locally as OUTPUT.EXE and run. At the time of this writing the downloaded file was a backdoor trojan, BackDoor-AML.

The downloader creates 2 registry keys:

• HKEY_CLASSES_ROOT\.inr\pzeoMm6erZrondFQ "Time"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run ".inr\pzeoMm6erZrondFQ"=%Trojan Path%

Symptoms

Symptoms -

Presence of BackDoor-AML.

Method of Infection

Method of Infection -

This trojan has been blocked in the wild; attached to a number of email messages.

Removal -

Removal -

All Windows Users:
Use current engine and DAT files for detection and removal.

Manual Removal Instructions

Delete the registry key(s) as mentioned above
Information on deleting registry keys

Restart the computer

Delete the files mentioned above

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A