Kaspersky Threats

Class

Platform

Description

Technical Details

This Trojan opens a range of URLs without the knowledge or consent of the user. It is a Windows PE EXE file. The file is 26,624 bytes in size. It is written in Visual Basic.

Installation

When launched, the Trojan copies its executable file to the Windows system directory:

%System%service.exe

In order to ensure that the Trojan is launched automatically each time Windows is restarted, the Trojan registers its executable file in the system registry:

[HKCUSoftwareMicrosoftWindowsCurrentVersionRun]
“MyApp” = “%System%service.exe”

Payload

The Trojan changes the values of the following system registry keys:

[HKCUSoftwareMicrosoftInternet ExplorerMain]
“Window Title” = “http://weesnich.de.vu”
“Start Page” = “Microsuxx”
[HKCU.DEFAULTSoftwareMicrosoftInternet ExplorerMain]
“Window Title” = “http://weesnich.de.vu”
“Start Page” = “Microsuxx”
[HKEY_USERSS-1-5-21-606747145-1060284298-839522115- 1003.DEFAULTSoftwareMicrosoftInternet ExplorerMain]
“Window Title” = “http://weesnich.de.vu”
“Start Page” = “Microsuxx”
[HKEY_USERSS-1-5-21-606747145-1060284298-839522115-1003SoftwareMicrosoftInternet ExplorerMain]
“Window Title” = “http://weesnich.de.vu”
“Start Page” = “Microsuxx”

Periodically, the Trojan will open the following links in an Internet Explorer window:

http://www.countering.de/***2000/click.exe?a200639+1
http://213.221.***.59/in.php?id=Daniel20gera
http://213.221.***.42/rankem.cgi?id=daniel20
http://520009810531-****.bei.t-online.de/index.htm
http://www.countering.de/***2000/counter.exe?a200639+1

At the time of writing, these links were not working.

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Use Task Manager to terminate the Trojan process.
Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
Delete the file created by the Trojan:
```
%System%service.exe
```
Delete the following system registry key parameters:
- [HKCUSoftwareMicrosoftWindowsCurrentVersionRun]
  “MyApp”=”%System32%service.exe”
- [HKCUSoftwareMicrosoftInternet ExplorerMain]
  “Window Title”=”http://weesnich.de.vu”
  “Start Page”=”Microsuxx”
- [HKCUDEFAULTSoftwareMicrosoftInternet ExplorerMain]
  “Window Title”=”http://weesnich.de.vu”
  “Start Page”=”Microsuxx”
- [HKEY_USERSS-1-5-21-606747145-1060284298-839522115-1003.DEFAULTSoftwareMicrosoftInternet ExplorerMain]
  “Window Title”=”http://weesnich.de.vu”
  “Start Page”=”Microsuxx”
- [HKEY_USERSS-1-5-21-606747145-1060284298-839522115-1003SoftwareMicrosoftInternet ExplorerMain]
  “Window Title”=”http://weesnich.de.vu”
  “Start Page”=”Microsuxx”
Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

Class	Trojan-Clicker
Platform	Win32
Description	Technical Details This Trojan opens a range of URLs without the knowledge or consent of the user. It is a Windows PE EXE file. The file is 26,624 bytes in size. It is written in Visual Basic. Installation When launched, the Trojan copies its executable file to the Windows system directory: %System%service.exe In order to ensure that the Trojan is launched automatically each time Windows is restarted, the Trojan registers its executable file in the system registry: [HKCUSoftwareMicrosoftWindowsCurrentVersionRun] “MyApp” = “%System%service.exe” Payload The Trojan changes the values of the following system registry keys: [HKCUSoftwareMicrosoftInternet ExplorerMain] “Window Title” = “http://weesnich.de.vu” “Start Page” = “Microsuxx” [HKCU.DEFAULTSoftwareMicrosoftInternet ExplorerMain] “Window Title” = “http://weesnich.de.vu” “Start Page” = “Microsuxx” [HKEY_USERSS-1-5-21-606747145-1060284298-839522115- 1003.DEFAULTSoftwareMicrosoftInternet ExplorerMain] “Window Title” = “http://weesnich.de.vu” “Start Page” = “Microsuxx” [HKEY_USERSS-1-5-21-606747145-1060284298-839522115-1003SoftwareMicrosoftInternet ExplorerMain] “Window Title” = “http://weesnich.de.vu” “Start Page” = “Microsuxx” Periodically, the Trojan will open the following links in an Internet Explorer window: http://www.countering.de/*2000/click.exe?a200639+1 http://213.221..59/in.php?id=Daniel20gera http://213.221..42/rankem.cgi?id=daniel20 http://520009810531-.bei.t-online.de/index.htm http://www.countering.de/*2000/counter.exe?a200639+1 At the time of writing, these links were not working. Removal instructions If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program: Use Task Manager to terminate the Trojan process. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine). Delete the file created by the Trojan: %System%service.exe Delete the following system registry key parameters: [HKCUSoftwareMicrosoftWindowsCurrentVersionRun] “MyApp”=”%System32%service.exe” [HKCUSoftwareMicrosoftInternet ExplorerMain] “Window Title”=”http://weesnich.de.vu” “Start Page”=”Microsuxx” [HKCUDEFAULTSoftwareMicrosoftInternet ExplorerMain] “Window Title”=”http://weesnich.de.vu” “Start Page”=”Microsuxx” [HKEY_USERSS-1-5-21-606747145-1060284298-839522115-1003.DEFAULTSoftwareMicrosoftInternet ExplorerMain] “Window Title”=”http://weesnich.de.vu” “Start Page”=”Microsuxx” [HKEY_USERSS-1-5-21-606747145-1060284298-839522115-1003SoftwareMicrosoftInternet ExplorerMain] “Window Title”=”http://weesnich.de.vu” “Start Page”=”Microsuxx” Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

Trojan-Clicker.Win32.Mobs

Technical Details

Installation

Payload

Removal instructions