Trojan-PSW.Win32.Coced

Detect Date 01/11/2002
Class Trojan-PSW
Platform Win32
Description

Technical Details

This Trojan is one of a family of Trojans which steals user passwords. It is designed to steal confidential data. It is a Windows PE EXE file. The file is 9,728 bytes in size. It is written in Visual C++.

Payload

The Trojan changes the values of the following system registry keys:

[HKCUSoftwareMirabilisICQAgentAppsICQ]
“Enable” = “yes”
“Path” = “
“Startup” = “”
“Parameters” = “”

[HKCUSoftwareMirabilisICQAgent]
“Launch Warning” = “No”

The Trojan uses WnetEnumCachedPasswords to harvest information about modem connections used by the system to access the Internet and passwords for these connections.

The Trojan sends harvested data to the remote malicious user’s email address:

lenin*****@usa.net

The Trojan uses mail.computer.com to send outgoing messages

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Use Task Manager to terminate the Trojan process.
  2. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
  3. Delete the following system registry key parameters:

    [HKCUSoftwareMirabilisICQAgentAppsICQ]
    “Enable” = “yes”
    “Path” = “
    “Startup” = “”
    “Parameters” = “”

    [HKCUSoftwareMirabilisICQAgent]
    “Launch Warning” = “No”

  4. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).