SubscribeThe Trojan launches a proxy server on a random TCP port on the victim machine. It then registers itself on the remote malicious user's site, and transmits the number of the open port. The computer can then be used remotely by a malicious user.
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Use Task Manager to terminate the Trojan process.
- Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
- Revert the following registry key parameter: (See What
is a system registry and how do I use it for details on how to edit the registry):
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] Shell = "Explorer.exe"
- Delete the following file:
%WinDir%\services.exe
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
This Trojan launches a proxy mail server on the victim machine. This Trojan is a Windows PE EXE file. The file is 239,616 bytes in size.
InstallationWhen launched, the Trojan copies its executable file to the Windows root directory:
%WinDir%\services.exe
In order to ensure that the Trojan is launched automatically when the system is rebooted, the Trojan adds a link to its executable file in the system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] Shell = "Explorer.exe %WinDir%\services.exe"Payload
Hot Articles