Trojan.Win32.Macur

Class Trojan
Platform Win32
Description

Technical Details

This Trojan is written in Assembler, and is not packed in any way. The file is 8,192 bytes in size.

If the Trojan is launched from a directory other than %Windir%, the following error message will be displayed:

Once launched, the Trojan copies itself to the Windows system directory as “pic.exe”:

%Windir%pic.exe

It then adds the string pic.exe to the load key in win.in:

load=pic.exe

The Trojan then creates 1500 folders in the Windows directory with names composed of zeros, ones, twos, threes, fours and fives.

The Trojan contains the following strings:

Macur-Copyright 1998-1999. 17 Apr 1999, ***im@duck.odessa.ua, ICQ# **216706

Removal instructions

  1. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
  2. Delete the file created by the Trojan:
    %Windir%pic.exe
  3. Delete the following string from win.ini (only for Windows 95/98/Me):
    load=pic.exe
  4. Delete all folders created by the Trojan.
  5. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).