Kaspersky Threats

Class

Platform

Description

Technical Details

This Trojan is designed to steal user passwords. It is a Windows PE EXE file. It is 10,240 bytes in size. It is not packed in any way. It is written in Visual C++.

Installation

Once launched, the Trojan copies itself to the Windows system directory as “winsys.dll”. The Trojan also creates the following system registry key:
:

[HKLMSoftwareSlySoftSly]

The Trojan also adds the following parameter to the system registry:

[HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices]
“winsys” = “winsys.dll”

This ensures that the Trojan will be launched each time Windows is booted on the victim machine.

The Trojan also creates a unique identifier, “slyishere”, to flag its presence in the system:

slyishere

Payload

This Trojan tracks the user’s actions on the victim machine. It tracks keys pressed by the user.

It connects to a mail server to send the data collected from the victim machine to the following address:

****@intertainment.co.za

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Use Task Manager to terminate the Trojan process.
Delete the following file:
```
%System%/winsys.dll
```
Delete the key and value created by the Trojan in the system registry:

[HKLMSoftwareSlySoft]

[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
“winsys”
Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

Find out the statistics of the threats spreading in your region

Class	Trojan-PSW
Platform	Win32
Description	Technical Details This Trojan is designed to steal user passwords. It is a Windows PE EXE file. It is 10,240 bytes in size. It is not packed in any way. It is written in Visual C++. Installation Once launched, the Trojan copies itself to the Windows system directory as “winsys.dll”. The Trojan also creates the following system registry key: : [HKLMSoftwareSlySoftSly] The Trojan also adds the following parameter to the system registry: [HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices] “winsys” = “winsys.dll” This ensures that the Trojan will be launched each time Windows is booted on the victim machine. The Trojan also creates a unique identifier, “slyishere”, to flag its presence in the system: slyishere Payload This Trojan tracks the user’s actions on the victim machine. It tracks keys pressed by the user. It connects to a mail server to send the data collected from the victim machine to the following address: ****@intertainment.co.za Removal instructions If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program: Use Task Manager to terminate the Trojan process. Delete the following file: %System%/winsys.dll Delete the key and value created by the Trojan in the system registry: [HKLMSoftwareSlySoft] [HKLMSoftwareMicrosoftWindowsCurrentVersionRun] “winsys” Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
	Find out the statistics of the threats spreading in your region

Trojan-PSW.Win32.SlyDude

Technical Details

Installation

Payload

Removal instructions