TROJ_OPTIXKIL.30

Malware type: Trojan

Aliases: Trojan.Win32.OptixKill.30 (Kaspersky), OptixKiller (McAfee), Trojan Horse (Symantec), TR/Crypt.Morphine.Gen (Avira), Mal/Packer (Sophos), VirTool:Win32/Obfuscator.E (Microsoft)

In the wild: No

Destructive: No

Language: English

Platform: Windows

Encrypted: No

Overall risk rating:

Description: 
This non-destructive memory resident Trojan disables certain Antivirus and firewall programs in memory. It may come as an accessory of the backdoor malware, BKDR_OPTIXPRO.11 or its other variants, disguised harmless programs.

For additional information about this threat, see:

Description created: May. 10, 2002 3:27:09 PM GMT -0800
Description updated: May. 11, 2002 10:04:51 PM GMT -0800


TECHNICAL DETAILS


Size of malware: 92,164 Bytes

Initial samples received on: May 10, 2002

Details:
On first execution, this Trojan copies itself to a VDMS.EXE file in the Windows directory. To execute upon system startup, it modifies the registry as follows:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
printerdrv="%Windows%\vdms.exe"

Before it terminates, it executes its dropped copy and then stays resident in memory.

On windows 9x/ME machines, it stays resident in memory as a service process invisible in the Windows Task list. It terminates the following list of services on Windows NT/2K machines:

  • Alerter
  • Sharedaccess
  • Vsmon
  • Minilog
  • SVW3
  • BlackICE
  • NIVSUM
  • NISSERV

It then terminates certain Antivirus programs and firewalls as follows in memory:

  • ZONEALARM.EXE
  • MINILOG.EXE
  • BLACKD.EXE
  • BLACKICE.EXE
  • NISSERV.EXE
  • IAMAPP.EXE
  • IAMSERV.EXE
  • GUARDDOG.EXE
  • PERSFW.EXE
  • LOCKDOWN.EXE
  • LOCKDOWN2000.EXE
  • SPHINX.EXE
  • NPROTECT.EXE
  • NETUTILS.EXE
  • LDNETMON.EXE
  • PORTMONITOR.EXE
  • CONNECTIONMONITOR.EXE
  • NAV Auto-Protect
  • SymProxySvc.exe
  • SWEEPSRV.SYS
  • _AVP32.EXE
  • _AVPCC.EXE
  • NAVAPW32.EXE
  • RTVSCN95.EXE
  • DEFWATCH.EXE
  • VPTRAY.EXE
  • POPROXY.EXE
  • NAVAPSVC.EXE
  • ALERTSVC.EXE
  • NAVLU32.EXE
  • NAVW32.EXE
  • NAVWNT.EXE
  • NPSSVC.EXE
  • SWNETSUP.EXE
  • ICLOAD95.EXE
  • ICSUPP95.EXE
  • ICLOADNT.EXE
  • ICSUPPNT.EXE
  • ADVXDWIN.EXE
  • PADMIN.EXE
  • NWTOOL16.EXE
  • ANTI-TROJAN.EXE
  • WRCTRL.EXE
  • WRADMIN.EXE
  • CLEANER3.EXE
  • CLEANER.EXE
  • MOOLIVE.EXE
  • MGHTML.EXE
  • MCMNHDLR.EXE
  • MCVSRTE.EXE
  • MCVSSHLD.EXE
  • MGAVRTCL.EXE
  • MGAVRTE.EXE
  • MCSHIELD.EXE
  • VSHWIN32.EXE
  • VSMAIN.EXE
  • SCAN32.EXE
  • SCRSCAN.EXE
  • ALOGSERV.EXE
  • VSECOMR.EXE
  • WEBSCANX.EXE
  • AVCONSOL.EXE
  • VSSTAT.EXE
  • SYMTRAY.EXE
  • VSCHED.EXE
  • MCTOOL.EXE
  • CMGRDIAN.EXE
  • AVXMONITORNT.EXE
  • AVXMONITOR9X.EXE
  • AVXQUAR.EXE.EXE
  • AMON9X.EXE
  • AVGSERV.EXE
  • AVGCC32.EXE
  • IOMON98.EXE
  • WEBTRAP.EXE
  • PCCWIN98.EXE
  • PCCIOMON.EXE
  • POP3TRAP.EXE
  • SS3EDIT.EXE
  • MONITOR.EXE
  • RAV7WIN.EXE
  • SWEEP95.EXE
  • MCAGENT.EXE
  • MCUPDATE.EXE
  • ntrtscan.EXE
  • pccwin97.EXE
  • pccntmon.EXE
  • pcscan.EXE
  • CLAW95.EXE
  • CLAW95CF.EXE
  • NORMIST.EXE
  • VETTRAY.EXE
  • AUTODOWN.EXE
  • ETRUSTCIPE.EXE
  • MWATCH.EXE
  • EFPEADM.EXE
  • RESCUE.EXE
  • AVKSERV.EXE
  • ACKWIN32.EXE
  • DVP95_0.EXE
  • F-AGNT95.EXE
  • F-PROT95.EXE
  • EXPERT.EXE
  • FP-WIN.EXE
  • F-STOPW.EXE
  • VIR-HELP.EXE
  • F-PROT.EXE
  • ATWATCH.EXE
  • ATUPDATER.EXE
  • PVIEW95.EXE
  • WGFE95.EXE
  • AVGCTRL.EXE
  • LDPROMENU.EXE
  • LDSCAN.EXE
  • GENERICS.EXE
  • PROCESSMONITOR.EXE
  • PROGRAMAUDITOR.EXE
  • AVSYNMGR.EXE
  • LUCOMSERVER.EXE
  • WIMMUN32.EXE
  • AutoTrace.exe
  • NWService.exe
  • NTXconfig.exe
  • NeoWatchLog.exe
  • NSCHED32.EXE
  • WATCHDOG.EXE
  • ISRV95.EXE
  • REALMON.EXE
  • AVWINNT.EXE
  • AVGSERV9.EXE
  • avkpop.exe
  • avkservice.exe
  • avkwctl9.exe
  • fsav32.exe
  • fameh32.exe
  • fnrb32.exe
  • fsgk32.exe
  • fsma32.exe
  • fsmb32.exe
  • sbserv.exe
  • apvxdwin.exe
  • gbpoll.exe
  • gbmenu.exe
  • pavproxy.exe
  • VbCons.exe
  • vbcmserv.exe
  • Avgctrl.exe
  • Avsched32.exe
  • defscangui.exe


SOLUTION


Minimum scan engine version needed: 5.200

Pattern file needed: 1.278.00

Pattern release date: May 10, 2002


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

  1. Click Start>Run, type Regedit then hit the Enter key.
  2. In the left panel, double click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft
    >Windows>CurrentVersion>Run
  3. In the right panel, click this registry entry and then delete it. %Windows% is the Windows directory, usually located at C:\Windows or C:\WinNT:
    �printerdrv� "%Windows%\vdms.exe"
  4. On Win2k machines, press CTRL-SHIFT-ESC to access the Task Manager, otherwise proceed to step 8.
  5. Click the Processes Tab and select the process �vdms.exe.�
  6. Click the "End Process" button to terminate this Trojan from memory.
  7. Restart your Computer.
  8. Scan your system with Trend Micro antivirus and delete all files detected as TROJ_OPTIXKIL.30. To do this Trend Micro customers must download the latest pattern file and scan their system. Other email users may use HouseCall, Trend Micro's free online virus scanner.



Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.