McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

When executed on the victim machine, this downloader trojan attempts to download files via HTTP. The files it tries to download from this HTTP site are porndialers.

The trojan copies itself to the C:\WINDOWWS\SYSTEM directory as MSFINDOS.EXE and creates the following registry run keys to load itself at startup

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "msfindosa.exe" C:\WINDOWS\SYSTEM\msfindosa.exe

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices "msfindosa.exe" C:\WINDOWS\SYSTEM\msfindosa.exe

Most of the porndialers it attempts to download are already detected as 'Application PORNDIAL-124' by the latest DATS.

Please note that the detection of the Porndialers is an application type - for this "potentially unwanted application". The current command-line scanner makes use of such detections (with the /PROGRAM switch), as does VirusScan 7 (via configuration pages).

Symptoms

Presence of the file MSFINDOSA.EXE in the C:\Windows\System folder.

Presence of the above Registry key values.

Method of Infection

This trojan downloads files from the Internet without user consent or knowledge.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

When executed on the victim machine, this downloader trojan attempts to download files via HTTP. The files it tries to download from this HTTP site are porndialers.

The trojan copies itself to the C:\WINDOWWS\SYSTEM directory as MSFINDOS.EXE and creates the following registry run keys to load itself at startup

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "msfindosa.exe" C:\WINDOWS\SYSTEM\msfindosa.exe

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices "msfindosa.exe" C:\WINDOWS\SYSTEM\msfindosa.exe

Most of the porndialers it attempts to download are already detected as 'Application PORNDIAL-124' by the latest DATS.

Please note that the detection of the Porndialers is an application type - for this "potentially unwanted application". The current command-line scanner makes use of such detections (with the /PROGRAM switch), as does VirusScan 7 (via configuration pages).

Symptoms

Symptoms -

Presence of the file MSFINDOSA.EXE in the C:\Windows\System folder.

Presence of the above Registry key values.

Method of Infection

Method of Infection -

This trojan downloads files from the Internet without user consent or knowledge.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A