Trojan-Clicker.Win32.GreatPage
| Alert Level : | Medium |
| Discovered: | Nov 16 2006 |
| Tag: | Trojan Clickers |
| Discoverer and Source: | http://www.kaspersky.com/ |
Malware Behavior and Technical Description
This Trojan will periodically load a designated web page in the Internet browser. It is a Windows PE EXE file. The executable file is 36 864 bytes in size. It is written in Visual C .
Payload
Once launched, the Trojan copies itself to the Windows system directory as "winsvc32.exe":
%System%\winsvc32.exeIt then registers this file in the system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]"winsvc32.exe" = "%System%\winsvc32.exe"
This ensures that the Trojan will be launched each time Windows is booted on the victim machine.
Every 30 minutes, the Trojan will open http://www.greatpage.da.ru using the Windows command line.
At the time of writing, no page was placed on this address.
Removal Trojan-Clicker.Win32.GreatPage instructions:
- Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
- Delete the following file: %System%\winsvc32.exe
- Delete the following system registry entry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"winsvc32.exe" = "%System%\winsvc32.exe" - Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
Need help? Live computer support via remote at SupportSpace |
