Class
Trojan-Notifier
Platform
Win32

Parent class: TrojWare

Trojans are malicious programs that perform actions which are not authorized by the user: they delete, block, modify or copy data, and they disrupt the performance of computers or computer networks. Unlike viruses and worms, the threats that fall into this category are unable to make copies of themselves or self-replicate. Trojans are classified according to the type of action they perform on an infected computer.

Class: Trojan-Notifier

Malicious programs of this type are designed to send messages to inform the malicious user controlling it when an infected computer is online. The malicious user will receive information about the infected computer, such as its IP address, the number of the open port, email addresses, etc. The information can be sent by a range of methods: email, a specially crafted request sent to the malicious user’s website, or via instant messaging. Notifiers are used in multi-component Trojans in order to notify malicious users of the successful installation of malicious programs on victim computers.

Read more

Platform: Win32

Win32 is an API on Windows NT-based operating systems (Windows XP, Windows 7, etc.) that supports execution of 32-bit applications. One of the most widespread programming platforms in the world.

Description

Technical Details

This Trojan is designed to inform the remote malicious user that a Trojan component has been successfully installed on the victim machine.

The program is a Windows PE EXE file. It is written in Assembler. The size of infected files may vary from 1600 bytes to 4096 bytes.

Payload

Once launched, the Trojan copies itself to the Windows root directory under its original file name:

%Windir%

It then registers itself in the system registry:

[HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows]
"load" = "%Windir% "

This ensures that the Trojan will be launched each time Windows is booted on the victim machine.

Every five seconds the Trojan will check for a connection to the Internet. When a connection to the Internet is established, the Trojan will open the following URL:

http://web.icq.com/whitepages/p***_me/.....

Once this URL has been opened, an ICQ message will be sent to the remote malicious user. The message contains the IP address, name, and user name of the victim machine. This message will be sent each time a connection to the Internet is established.

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Use Task Manager to terminate the Trojan process
  2. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
  3. Delete the following file:
    %Windir%
    
    
  4. Delete the following entry from the system registry:
    [HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows]
    "load" = "%Windir% "
  5. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

Read more

Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com

Found an inaccuracy in the description of this vulnerability? Let us know!
Kaspersky Next
Let’s go Next: redefine your business’s cybersecurity
Learn more
New Kaspersky!
Your digital life deserves complete protection!
Learn more
Confirm changes?
Your message has been sent successfully.