Parent class: TrojWare
Trojans are malicious programs that perform actions which are not authorized by the user: they delete, block, modify or copy data, and they disrupt the performance of computers or computer networks. Unlike viruses and worms, the threats that fall into this category are unable to make copies of themselves or self-replicate. Trojans are classified according to the type of action they perform on an infected computer.Class: Trojan
A malicious program designed to electronically spy on the user’s activities (intercept keyboard input, take screenshots, capture a list of active applications, etc.). The collected information is sent to the cybercriminal by various means, including email, FTP, and HTTP (by sending data in a request).Read more
Platform: Win32
Win32 is an API on Windows NT-based operating systems (Windows XP, Windows 7, etc.) that supports execution of 32-bit applications. One of the most widespread programming platforms in the world.Description
Technical Details
This Trojan is a Windows PE EXE file. It is 33 792 bytes in size.
Installation
When launched, the Trojan copies its executable file to the Windows root directory:
%WinDir%Winrep.exe
In order to ensure that the Trojan is launched automatically each time Windows is restarted, it adds a link to its executable file to the system registry:
[HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows] "Run" = "%WinDir%Winrep.exe" [HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows] "load" = "%WinDir%Winrep.exe"
The Trojan also creates the following system registry key parameter:
[HKLMSOFTWAREMicrosoftWindows NTCurrentVersionCompatibility] "COSTARO" = "10.05.2007"
The Trojan also creates the following empty file.
%WinDir%winrep.log
Payload
The Trojan will periodically cause the following message to be displayed:
Removal instructions
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Use Task Manager to terminate the Trojan process
- Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
- Delete the following parameters from the system registry (see What is a system registry and how do I use it for details on how to edit the registry).
[HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows] "Run" = "%WinDir%Winrep.exe" [HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows] "load" = "%WinDir%Winrep.exe" [HKLMSOFTWAREMicrosoftWindows NTCurrentVersionCompatibility] "COSTARO" = "10.05.2007"
- Delete the following files:
%WinDir%Winrep.exe %WinDir%winrep.log
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
Read more
Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com