Subscribe
The Trojan launches a SOCKS proxy server on the victim machine on a TCP port chosen at random. It then uses a URL request to send the port number to the remote malicious user's site.
The Trojan also attempts to terminate the following processes:
- ZONEALARM.EXE
- WFINDV32.EXE
- WEBSCANX.EXE
- VSSTAT.EXE
- VSHWIN32.EXE
- VSECOMR.EXE
- VSCAN40.EXE
- VETTRAY.EXE
- VET95.EXE
- TDS2-NT.EXE
- TDS2-98.EXE
- TCA.EXE
- TBSCAN.EXE
- SWEEP95.EXE
- SPHINX.EXE
- SMC.EXE
- SERV95.EXE
- SCRSCAN.EXE
- SCANPM.EXE
- SCAN95.EXE
- SCAN32.EXE
- SAFEWEB.EXE
- RESCUE.EXE
- RAV7WIN.EXE
- RAV7.EXE
- PERSFW.EXE
- PCFWALLICON.EXE
- PCCWIN98.EXE
- PAVW.EXE
- PAVSCHED.EXE
- PAVCL.EXE
- PADMIN.EXE
- OUTPOST.EXE
- NVC95.EXE
- NUPGRADE.EXE
- NORMIST.EXE
- NMAIN.EXE
- NISUM.EXE
- NAVWNT.EXE
- NAVW32.EXE
- NAVNT.EXE
- NAVLU32.EXE
- NAVAPW32.EXE
- N32SCANW.EXE
- MPFTRAY.EXE
- MOOLIVE.EXE
- LUALL.EXE
- LOOKOUT.EXE
- LOCKDOWN2000.EXE
- JEDI.EXE
- IOMON98.EXE
- IFACE.EXE
- ICSUPPNT.EXE
- ICSUPP95.EXE
- ICMON.EXE
- ICLOADNT.EXE
- ICLOAD95.EXE
- IBMAVSP.EXE
- IBMASN.EXE
- IAMSERV.EXE
- IAMAPP.EXE
- F-STOPW.EXE
- FRW.EXE
- FP-WIN.EXE
- F-PROT95.EXE
- F-PROT.EXE
- FPROT.EXE
- FINDVIRU.EXE
- F-AGNT95.EXE
- ESPWATCH.EXE
- ESAFE.EXE
- ECENGINE.EXE
- DVP95_0.EXE
- DVP95.EXE
- CLEANER3.EXE
- CLEANER.EXE
- CLAW95CF.EXE
- CLAW95.EXE
- CFINET32.EXE
- CFINET.EXE
- CFIAUDIT.EXE
- CFIADMIN.EXE
- BLACKICE.EXE
- BLACKD.EXE
- AVWUPD32.EXE
- AVWIN95.EXE
- AVSCHED32.EXE
- AVPUPD.EXE
- AVPTC32.EXE
- AVPM.EXE
- AVPDOS32.EXE
- AVPCC.EXE
- AVP32.EXE
- AVP.EXE
- AVNT.EXE
- AVKSERV.EXE
- AVGCTRL.EXE
- AVE32.EXE
- AVCONSOL.EXE
- AUTODOWN.EXE
- APVXDWIN.EXE
- ANTI-TROJAN.EXE
- ACKWIN32.EXE
- _AVPM.EXE
- _AVPCC.EXE
- _AVP32.EXE
The Trojan downloads updates to itself from the remote malicious user
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Use Task Manager to terminate the Trojan process.
- Delete the following folder and its contents:
%Program Files%\q~1
- Delete the following system registry key parameter:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"bab" = "c:\progra~1\q~1\svchst32.exe" - Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
This Trojan launches a proxy server on the victim machine without the knowledge or consent of the user. It is a Windows PE EXE file. The file is 28,796 bytes in size. It is not packed in any way.
InstallationWhen launched, the Trojan will copy its executable file as:
%Program Files%\q~1\svchst32.exe
The original file which was launched is then deleted.
The Trojan also adds a link to its executable file in the system registry, ensuring that the Trojan will be launched when Windows is rebooted on the victim machine:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]"bab" = "c:\progra~1\q~1\svchst32.exe"
The Trojan also creates the following file:
c:\!stealth.txtPayload
Hot Articles