Trojan-Proxy.Win32.Horst.xc
| Alert Level : | Medium |
| Discovered: | Sep 04 2007 |
| Tag: | Trojan-Proxy-Servers |
| Discoverer and Source: | http://www.kaspersky.com/ |
Malware Behavior and Technical Description
This Trojan program is a Windows PE EXE file. It is 23,552 bytes in size. It is packed using UPX. The unpacked file is approximately 48KB in size. It is written in C.
Payload
The Trojan launches a system process called "svchost.exe" and injects its code into the process.
When the injected code is run, the following error message will be displayed:
The following unique identifier will then be created:
BC5E6DA8-DD1B-12DD-139A-B5B2378C9A04to show that a copy of the Trojan process has been launched in the system. If such an identifier has already been created, then the current copy of the Trojan will cease running.
After waiting five minutes, the Trojan will then attempt to download a file from the following link:
http://64.27.*.*/***/setup1.exeAt the moment of writing, this link was not working.
This file will be saved to the Windows temporary directory under a name constructed according to the following mask:
%Temp%\tRemoval Trojan-Proxy.Win32.Horst.xc instructions:
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Disconnect from the Internet.
- Use Task Manager to terminate the Trojan process.
- Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
- Delete the file whose name corresponds to the mask below from
the Windows temporary directory:
%Temp%\t
Need help? Live computer support via remote at SupportSpace
.Help with printer problems, windows, hardware, software, spyware removal and more. - Go Now!
