The Trojan changes the values of the following system registry keys:
- [HKCU\Software\Microsoft\Internet Explorer\Main]
"Window Title" = "http://weesnich.de.vu"
"Start Page" = "Microsuxx" - [HKCU\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
"Window Title" = "http://weesnich.de.vu"
"Start Page" = "Microsuxx" - [HKEY_USERS\S-1-5-21-606747145-1060284298-
839522115- 1003\.DEFAULT\Software\ Microsoft\Internet Explorer\Main]
"Window Title" = "http://weesnich.de.vu"
"Start Page" = "Microsuxx"- [HKEY_USERS\S-1-5-21-606747145-1060284298-
839522115-1003\Software\ Microsoft\Internet Explorer\Main]
"Window Title" = "http://weesnich.de.vu"
"Start Page" = "Microsuxx" - [HKEY_USERS\S-1-5-21-606747145-1060284298-
Periodically, the Trojan will open the following links in an Internet Explorer window:
- http://www.countering.de/***2000/click.exe?a200639 1
- http://213.221.***.59/in.php?id=Daniel20gera
- http://213.221.***.42/rankem.cgi?id=daniel20
- http://520009810531-****.bei.t-online.de/index.htm
- http://www.countering.de/***2000/counter.exe?a200639 1
At the time of writing, these links were not working.
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Use Task Manager to terminate the Trojan process.
- Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
- Delete the file created by the Trojan:
%System%\service.exe
- Delete the following system registry key parameters:
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MyApp"="%System32%\service.exe" - [HKCU\Software\Microsoft\Internet Explorer\Main]
"Window Title"="http://weesnich.de.vu"
"Start Page"="Microsuxx" - [HKCU\DEFAULT\Software\Microsoft\Internet Explorer\Main]
"Window Title"="http://weesnich.de.vu"
"Start Page"="Microsuxx" - [HKEY_USERS\S-1-5-21-606747145-1060284298-
839522115-1003\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
"Window Title"="http://weesnich.de.vu"
"Start Page"="Microsuxx"- [HKEY_USERS\S-1-5-21-606747145-1060284298-
839522115-1003\Software\Microsoft\Internet Explorer\Main]
"Window Title"="http://weesnich.de.vu"
"Start Page"="Microsuxx" - [HKEY_USERS\S-1-5-21-606747145-1060284298-
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
This Trojan opens a range of URLs without the knowledge or consent of the user. It is a Windows PE EXE file. The file is 26,624 bytes in size. It is written in Visual Basic.
InstallationWhen launched, the Trojan copies its executable file to the Windows system directory:
%System%\service.exe
In order to ensure that the Trojan is launched automatically each time Windows is restarted, the Trojan registers its executable file in the system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]"MyApp" = "%System%\service.exe" Payload

Subscribe
Hot Articles