Kaspersky Threats

Class

Platform

Description

Technical Details

This Trojan is designed to inform the remote malicious user that a Trojan component has been successfully installed on the victim machine.

The program is a Windows PE EXE file. It is written in Assembler. The size of infected files may vary from 1600 bytes to 4096 bytes.

Payload

Once launched, the Trojan copies itself to the Windows root directory under its original file name:

%Windir%
It then registers itself in the system registry:
[HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows]
"load" = "%Windir% "
This ensures that the Trojan will be launched each time Windows is booted on the victim machine. 
Every five seconds the Trojan will check for a connection to the Internet.

When a connection to the Internet is established, the Trojan will open the following URL:
http://web.icq.com/whitepages/p***_me/.....
Once this URL has been opened, an ICQ message will be sent to the remote malicious user. The message contains the IP address, name, and user name of the victim machine.  This message will be sent each time a connection to the Internet is established. 
Removal instructions
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Use Task Manager to terminate the Trojan process
Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
Delete the following file:
%Windir%
Delete the following entry from the system registry:
[HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows]
"load" = "%Windir% "
Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

Class	Trojan-Notifier
Platform	Win32
Description	Technical Details This Trojan is designed to inform the remote malicious user that a Trojan component has been successfully installed on the victim machine. The program is a Windows PE EXE file. It is written in Assembler. The size of infected files may vary from 1600 bytes to 4096 bytes. Payload Once launched, the Trojan copies itself to the Windows root directory under its original file name: %Windir% It then registers itself in the system registry: [HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows] "load" = "%Windir% " This ensures that the Trojan will be launched each time Windows is booted on the victim machine. Every five seconds the Trojan will check for a connection to the Internet. When a connection to the Internet is established, the Trojan will open the following URL: http://web.icq.com/whitepages/p***_me/..... Once this URL has been opened, an ICQ message will be sent to the remote malicious user. The message contains the IP address, name, and user name of the victim machine. This message will be sent each time a connection to the Internet is established. Removal instructions If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program: Use Task Manager to terminate the Trojan process Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine). Delete the following file: %Windir% Delete the following entry from the system registry: [HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows] "load" = "%Windir% " Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

Trojan-Notifier.Win32.Sysbopt

Technical Details

Payload

Removal instructions