Content

ManifestDest

Type
Trojan
SubType
Remote Access
Discovery Date
12/19/2002
Length
2,457,600(dropper)
Minimum DAT
4239 (12/23/2002)
Updated DAT
4239 (12/23/2002)
Minimum Engine
5.1.00
Description Added
01/17/2003
Description Modified
01/17/2003 4:45 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

The trojan dropper appears to be an installation program of a shareware. When run, the dropper drops several files in "c:\Program Files\Common Files\Services" directory.

  • Serv-U.ini
  • slog.sys
  • wssdsu.exe
  • wssdsup.exe
  • wssdtu.exe
  • wsys.dll
  • wsys.exe
Among the dropped files, wssdsu.exe is already detected as "application ServU-Daemon", which is a program running as an ftp server on the local machine. Wsys.exe, Wsys.dll are detected as "application Starr", which are program files of a commercial PC and Internet Monitoring product. The following registry keys are created in order to load these applications at Windows start up:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "Enumeration Service" = "(path)\wsys.exe"

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "Folder Service " = "(path)\wssdsu.exe"

The dropper then displays a confirmation dialog box and continues with the shareware installation.

The trojan makes connection to a specific web site and an ftp site.

Symptoms

Method of Infection

Running of the dropper file will infect the machine.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

  • Trj/ManifestDest (Panda)
  • Trojan.Win32.ManifestDestiny (AVP)
  • Win32.Manifest (CA)

Characteristics

Characteristics -

The trojan dropper appears to be an installation program of a shareware. When run, the dropper drops several files in "c:\Program Files\Common Files\Services" directory.

  • Serv-U.ini
  • slog.sys
  • wssdsu.exe
  • wssdsup.exe
  • wssdtu.exe
  • wsys.dll
  • wsys.exe
Among the dropped files, wssdsu.exe is already detected as "application ServU-Daemon", which is a program running as an ftp server on the local machine. Wsys.exe, Wsys.dll are detected as "application Starr", which are program files of a commercial PC and Internet Monitoring product. The following registry keys are created in order to load these applications at Windows start up:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "Enumeration Service" = "(path)\wsys.exe"

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "Folder Service " = "(path)\wssdsu.exe"

The dropper then displays a confirmation dialog box and continues with the shareware installation.

The trojan makes connection to a specific web site and an ftp site.

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Running of the dropper file will infect the machine.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A