TROJ_EXEC_S
Windows 98, ME, NT, 2000, XP, Server 2003
Threat Type:
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
It adds registry entries to enable its automatic execution at every system startup.
It has the capability to create its own server component.
It modifies the affected system's HOSTS files. This prevents users from accessing certain websites.
Once users access any of the monitored sites, it starts logging keystrokes.
TECHNICAL DETAILS
Autostart Technique
It adds the following registry entries to enable its automatic execution at every system startup:
1
1=1
C:\Documents and Settings\Administrator\My Documents
C:\Documents and Settings\Administrator\My Documents=C:\Documents and Settings\Administrator\My Documents
Backdoor Routine
It has the capability to create its own server component.
HOSTS File Modification
It modifies the affected system's HOSTS files to prevent a user from accessing the following websites:
Information Theft
Once users access any of the monitored sites, it starts logging keystrokes.
Installation
It drops the following files depending on the platform/operating system of the affected computer:
- test2
It drops the following copies of itself into the affected system:
- test2
Other Details
It adds the following lines or registry entries as part of its routine:
- 1
Other System Modifications
It adds the following registry keys:
sdfkhsj
fh=90780
SOLUTION
Step 1
Identify and terminate files detected as TROJ_EXEC_S
- For Windows 98 and ME users, Windows Task Manager may not display all running processes. In this case, please use a third-party process viewer, preferably Process Explorer, to terminate the malware/grayware/spyware file. You may download the said tool here.
- If the detected file is displayed in either Windows Task Manager or Process Explorer but you cannot delete it, restart your computer in safe mode. To do this, refer to this link for the complete steps.
- If the detected file is not displayed in either Windows Task Manager or Process Explorer, continue doing the next steps.
Step 2
Restoring AUTOEXEC.BAT
- Open AUTOEXEC.BAT using Notepad. Click Start>Run, type this text string in the Open input box then press Enter:
notepad C:autoexec.bat - Delete the following entries created by the malware:
- Close AUTOEXEC.BAT and click Yes when prompted to save.
Step 3
Display files and folders This step allows you to display hidden files and folders on your system.
To display hidden files and folders:
• For Windows 98 and NT users:
- Open Windows Explorer. To do this, right-click Start then click Explore.
- On the View menu, click Options or Folders Options.
- Click the View tab.
- Select Show all files, then click OK.
• For Windows ME, 2000, XP, and Server 2003 users:
- Open Windows Explorer. To do this, right-click Start then click Explore.
- On the Tools menu, click Folder Options.
- Click the View tab.
- Select Show hidden files and folders, then click OK.
Step 4
Remove these strings added by the malware/grayware/spyware in the HOSTS file This step allows you to prevent malicious and/or unauthorized website redirections.
This is for testing purposes only11
To edit your computer's HOSTS files:
- Open the following file using a text editor (such as NOTEPAD):
• On Windows 98 and ME:- %Windows%HOSTS.SAM
- %System%driversetcHOSTS
- Delete the following entries:
ALSO This is for testing purposes only11
- Save the file and close the text editor.
Step 5
AUTOMATIC REMOVAL INSTRUCTIONS
MANUAL REMOVAL INSTRUCTIONS
Step 6
AUTOMATIC REMOVAL INSTRUCTIONS
To automatically remove this malware from your system, use Trend Micro's special fixtool. Download, extract, and run the said fixtool in the same folder where your latest Trend Micro pattern file is located. For more details, refer to the fixtool's incorporated text file.
MANUAL REMOVAL INSTRUCTIONS
Did this description help? Tell us how we did.