Taken From: http://www.2-spyware.com/file-winapa-exe.html
winapa.exe description:
File winapa.exe is related to trojan WootBot Trojan.
Files related to winapa.exe:
navsys32.exe, svcshost.exe, elite.exe, winssv.exe, lsass2.exe, pomedsrv.exe, ctfnom.exe, symantec32.exe, syshelper.exe, mqguard.exe
File winapa.exe removal:
WARNING!!! File winapa.exe is related to spyware. This is serious violation of your privacy, your system is under security threat.
We advice you to scan your computer and eliminate possible threats.
You can also visit ARNIT Online scanner to scan your computer for free!
http://www.arnit.net/security/tplarnit.php?page=vscan
Winapa.exe definition, relationships, removal
March 25, 2005, 9:24 pmBackdoor.IRC.Aladinz.G
March 25, 2005, 9:22 pm
Taken From: http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.aladinz.g.html
Backdoor.IRC.Aladinz.G is a backdoor Trojan horse that uses malicious scripts in mIRC client software, allowing unauthorized remote access.
Also Known As: Worm.Win32.Randon.o [Kaspersky]
Type: Trojan Horse
Infection Length: varies
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX
Technical Details:
When Backdoor.IRC.Aladinz.G is executed, it performs the following actions:
1. Creates the folder %Program Files%\Common Files\OOBE\DivX Player 7.0, and drops the following files into the folder:
* sample.bin (detected as Backdoor.Trojan)
* DivXinstall.bat (detected as Trojan Horse)
* DecodeDivX.exe (detected as Hacktool.DoS)
* nacs.exe (detected as Hacktool)
* DrDivXRegistration.exe (detected as Hacktool.HideWindow.)
* Dr.DivX.exe (mIRC client software. It is detected as IRC.Backdoor.Trojan.)
* DelDivX.exe (Process viewer. This utility is not viral by itself.)
* Divx.exe (Remote execution utility. It is not viral by itself)
* helptoo.txt (Text file that includes username.It is not malicious itself. )
* helpuse.txt (Text file that includes username and password. It is not malicious itself. )
* DivX.ini (Ini file that the Trojan uses to load other IRC scripts. It is not malicious itself. )
Note: %ProgramFiles% is a variable that refers to the path to the program files folder. By default, this is C:\Program Files.
2. Adds the value:
"DivX MediaPlayer 7.0"="%Program Files%\Common Files\OOBE\DivX Player 7.0\Dr.DivX.exe"
to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
so that the Trojan starts when you start or restart Windows.
3. Adds the values:
* "DisplayName"="mIRC"
* "UninstallString"=""%Program Files%\Common Files\OOBE\DivX Player 7.0\Dr.DivX.exe" -uninstall"
to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Uninstall\mIRC
Note: If the mIRC subkey does not exist, the Trojan will create it.
4. Adds the values:
"(Default)" = "c:\program files\common files\oobe\divx player 7.0\dr.divx.exe"
to the following registry keys:
* HKEY_CLASSES_ROOT\ChatFile\DefaultIcon
* HKEY_CLASSES_ROOT\ChatFile\Shell\open\command
* HKEY_LOCAL_MACHINE\Software\Classes\irc\DefaultIcon
* HKEY_LOCAL_MACHINE\Software\Classes\irc\Shell\open\command
so that the IRC file that call c:\program files\common files\oobe\divx player 7.0\dr.divx.exe when chat files are opened.
5. Creates the following subkeys:
* HKEY_CLASSES_ROOT\ChatFile\Shell\open\ddeexec
* HKEY_LOCAL_MACHINE\Software\Classes\irc\Shell\open\ddeexec
6. Runs %Program Files%\Common Files\OOBE\DivX Player 7.0\Dr.DivX.exe in the background.
7. By default, the Trojan allows the hacker to perform any of the following actions:
* Download and execute files.
* Perform Denial of Service (DoS) attacks against predetermined targets.
* Attempt to compromise other machines through open shares or weak passwords.
For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan
For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows
Backdoor.IRC.Aladinz.G is a backdoor Trojan horse that uses malicious scripts in mIRC client software, allowing unauthorized remote access.
Also Known As: Worm.Win32.Randon.o [Kaspersky]
Type: Trojan Horse
Infection Length: varies
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX
Technical Details:
When Backdoor.IRC.Aladinz.G is executed, it performs the following actions:
1. Creates the folder %Program Files%\Common Files\OOBE\DivX Player 7.0, and drops the following files into the folder:
* sample.bin (detected as Backdoor.Trojan)
* DivXinstall.bat (detected as Trojan Horse)
* DecodeDivX.exe (detected as Hacktool.DoS)
* nacs.exe (detected as Hacktool)
* DrDivXRegistration.exe (detected as Hacktool.HideWindow.)
* Dr.DivX.exe (mIRC client software. It is detected as IRC.Backdoor.Trojan.)
* DelDivX.exe (Process viewer. This utility is not viral by itself.)
* Divx.exe (Remote execution utility. It is not viral by itself)
* helptoo.txt (Text file that includes username.It is not malicious itself. )
* helpuse.txt (Text file that includes username and password. It is not malicious itself. )
* DivX.ini (Ini file that the Trojan uses to load other IRC scripts. It is not malicious itself. )
Note: %ProgramFiles% is a variable that refers to the path to the program files folder. By default, this is C:\Program Files.
2. Adds the value:
"DivX MediaPlayer 7.0"="%Program Files%\Common Files\OOBE\DivX Player 7.0\Dr.DivX.exe"
to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
so that the Trojan starts when you start or restart Windows.
3. Adds the values:
* "DisplayName"="mIRC"
* "UninstallString"=""%Program Files%\Common Files\OOBE\DivX Player 7.0\Dr.DivX.exe" -uninstall"
to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Uninstall\mIRC
Note: If the mIRC subkey does not exist, the Trojan will create it.
4. Adds the values:
"(Default)" = "c:\program files\common files\oobe\divx player 7.0\dr.divx.exe"
to the following registry keys:
* HKEY_CLASSES_ROOT\ChatFile\DefaultIcon
* HKEY_CLASSES_ROOT\ChatFile\Shell\open\command
* HKEY_LOCAL_MACHINE\Software\Classes\irc\DefaultIcon
* HKEY_LOCAL_MACHINE\Software\Classes\irc\Shell\open\command
so that the IRC file that call c:\program files\common files\oobe\divx player 7.0\dr.divx.exe when chat files are opened.
5. Creates the following subkeys:
* HKEY_CLASSES_ROOT\ChatFile\Shell\open\ddeexec
* HKEY_LOCAL_MACHINE\Software\Classes\irc\Shell\open\ddeexec
6. Runs %Program Files%\Common Files\OOBE\DivX Player 7.0\Dr.DivX.exe in the background.
7. By default, the Trojan allows the hacker to perform any of the following actions:
* Download and execute files.
* Perform Denial of Service (DoS) attacks against predetermined targets.
* Attempt to compromise other machines through open shares or weak passwords.
For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan
For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows
W32/Forbot-CL
March 25, 2005, 9:19 pm
Taken From: http://www.sophos.com/virusinfo/analyses/w32forbotcl.html
Name
* W32/Forbot-CL
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Wootbot.gen
* W32/Sdbot.worm.gen
* WORM_WOOTBOT.CN
Detailed Description:
W32/Forbot-CL is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Forbot-CL copies itself to the Windows system folder as MQGUARD.EXE.
W32/Forbot-CL also creates its own service named "Win32" with display name "Windows Network Controller".
W32/Forbot-CL attempts to spread to network machines using various exploits including the LSASS vulnerability (see MS04-011). The worm may also spread via IRC channels.
W32/Forbot-CL may act as a proxy, delete network shares and steal keys for various software products.
For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan
For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows
Name
* W32/Forbot-CL
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Wootbot.gen
* W32/Sdbot.worm.gen
* WORM_WOOTBOT.CN
Detailed Description:
W32/Forbot-CL is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Forbot-CL copies itself to the Windows system folder as MQGUARD.EXE.
W32/Forbot-CL also creates its own service named "Win32" with display name "Windows Network Controller".
W32/Forbot-CL attempts to spread to network machines using various exploits including the LSASS vulnerability (see MS04-011). The worm may also spread via IRC channels.
W32/Forbot-CL may act as a proxy, delete network shares and steal keys for various software products.
For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan
For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows
WootBot Trojan, description and removal instructions
March 25, 2005, 9:11 pm
Taken From: http://www.2-spyware.com/remove-wootbot-trojan.html
Full name: WootBot Trojan
Type: Trojans
Also known as: Trojan.WootBot, WootBot
Related files:
navsys32.exe, svcshost.exe, elite.exe, winssv.exe, lsass2.exe, pomedsrv.exe, winapa.exe, ctfnom.exe, symantec32.exe, syshelper.exe, mqguard.exe
severity scale is 67 (67 / 100)
WootBot Trojan description:
This dangerous parasite is especially dangerous for PC gamers. WootBot tries to steal the CD-keys from various games and send these keys to the specified location. But not only this technique is a potential threat for the user of an infected machine; this parasite also tries to connect to the Internet and download various parasites from there. In case of success, even more problems may occur on the computer.
WootBot Trojan properties:
• Connects itself to the internet
• Hides from the user
• Stays resident in background
To Remove this trojan from your computer, you can SCAN your computer for FREE with ARNIT Online Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan
Full name: WootBot Trojan
Type: Trojans
Also known as: Trojan.WootBot, WootBot
Related files:
navsys32.exe, svcshost.exe, elite.exe, winssv.exe, lsass2.exe, pomedsrv.exe, winapa.exe, ctfnom.exe, symantec32.exe, syshelper.exe, mqguard.exe
severity scale is 67 (67 / 100)
WootBot Trojan description:
This dangerous parasite is especially dangerous for PC gamers. WootBot tries to steal the CD-keys from various games and send these keys to the specified location. But not only this technique is a potential threat for the user of an infected machine; this parasite also tries to connect to the Internet and download various parasites from there. In case of success, even more problems may occur on the computer.
WootBot Trojan properties:
• Connects itself to the internet
• Hides from the user
• Stays resident in background
To Remove this trojan from your computer, you can SCAN your computer for FREE with ARNIT Online Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan
Mqguard.exe definition, relationships, removal
March 18, 2005, 12:47 am
Taken from http://www.2-spyware.com/file-mqguard-exe.html
mqguard.exe description:
File mqguard.exe is related to trojan WootBot Trojan.
Files related to mqguard.exe: navsys32.exe, svcshost.exe, elite.exe, winssv.exe, lsass2.exe, pomedsrv.exe, winapa.exe, ctfnom.exe, symantec32.exe, syshelper.exe
File mqguard.exe removal: WARNING!!! File mqguard.exe is related to spyware. This is serious violation of your privacy, your system is under security threat.
For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan
For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows
mqguard.exe description:
File mqguard.exe is related to trojan WootBot Trojan.
Files related to mqguard.exe: navsys32.exe, svcshost.exe, elite.exe, winssv.exe, lsass2.exe, pomedsrv.exe, winapa.exe, ctfnom.exe, symantec32.exe, syshelper.exe
File mqguard.exe removal: WARNING!!! File mqguard.exe is related to spyware. This is serious violation of your privacy, your system is under security threat.
For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan
For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows
W32.Randex.PR (symantec32.exe)
March 15, 2005, 2:54 am
Info taken from http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.pr.html
W32.Randex.PR is a network-aware worm that attempts to copy itself to computers with weak administrator passwords. The worm receives instructions from an IRC channel on a predetermined IRC server.
Also Known As: W32/Spybot.worm.gen.a [McAfee]
Variants: W32.Randex.gen
Type: Worm
Infection Length: 66,857 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Technical Details:
When W32.Randex.PR is executed, it does the following:
1. Copies itself as %System%\symantec32.exe.
Note: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
2. Calculates a random IP address and attempts to authenticate itself to it.
3. Attempts to copy itself to the following locations on computers with weak administrator passwords:
* \c$\symantec32.exe
* \c$\winnt\system32\symantec32.exe
* \Admin$\system32\symantec32.exe
4. Remotely schedules a task to run the worm on a newly infected computer.
5. Adds the following value:
* "Symantec Security"="symantec32.exe"
* "Windows Loader" = "svchosts.exe"
to the registry keys:
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices
* HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
*
so that the worm runs when you start Windows.
6. Connects to an IRC channel on a predetermined IRC server to receive remote instructions, such as:
* Ntscan: Scans for computers with weak administrator passwords, and then copies itself to these machines.
* Syn: Performs a SYN flood attack with a data size of 55808 bytes.
* Sysinfo: Retrieves the infected machine's information, such as CPU speed and the amount of memory.
7. Steals the CD keys of the following games:
* FIFA 2003
* Need For Speed Hot Pursuit 2
* Soldier of Fortune II
* Rainbow Six III Ravenshield
* Battlefield 1942 Road To Rome
* Battlefield 1942
* IGI 2
* Counter-Strike
* Unreal Tournament 2003
* Half-Life
For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan
For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows
W32.Randex.PR is a network-aware worm that attempts to copy itself to computers with weak administrator passwords. The worm receives instructions from an IRC channel on a predetermined IRC server.
Also Known As: W32/Spybot.worm.gen.a [McAfee]
Variants: W32.Randex.gen
Type: Worm
Infection Length: 66,857 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Technical Details:
When W32.Randex.PR is executed, it does the following:
1. Copies itself as %System%\symantec32.exe.
Note: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
2. Calculates a random IP address and attempts to authenticate itself to it.
3. Attempts to copy itself to the following locations on computers with weak administrator passwords:
* \c$\symantec32.exe
* \c$\winnt\system32\symantec32.exe
* \Admin$\system32\symantec32.exe
4. Remotely schedules a task to run the worm on a newly infected computer.
5. Adds the following value:
* "Symantec Security"="symantec32.exe"
* "Windows Loader" = "svchosts.exe"
to the registry keys:
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices
* HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
*
so that the worm runs when you start Windows.
6. Connects to an IRC channel on a predetermined IRC server to receive remote instructions, such as:
* Ntscan: Scans for computers with weak administrator passwords, and then copies itself to these machines.
* Syn: Performs a SYN flood attack with a data size of 55808 bytes.
* Sysinfo: Retrieves the infected machine's information, such as CPU speed and the amount of memory.
7. Steals the CD keys of the following games:
* FIFA 2003
* Need For Speed Hot Pursuit 2
* Soldier of Fortune II
* Rainbow Six III Ravenshield
* Battlefield 1942 Road To Rome
* Battlefield 1942
* IGI 2
* Counter-Strike
* Unreal Tournament 2003
* Half-Life
For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan
For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows
Worm.Win32.Randon.o [Kaspersky]
March 13, 2005, 8:39 pm
Taken from http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.aladinz.g.html
Description:
Backdoor.IRC.Aladinz.G is a backdoor Trojan horse that uses malicious scripts in mIRC client software, allowing unauthorized remote access.
Also Known As: Worm.Win32.Randon.o [Kaspersky]
Type: Trojan Horse
Infection Length: varies
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX
Technical Details:
When Backdoor.IRC.Aladinz.G is executed, it performs the following actions:
1. Creates the folder %Program Files%\Common Files\OOBE\DivX Player 7.0, and drops the following files into the folder:
* sample.bin (detected as Backdoor.Trojan)
* DivXinstall.bat (detected as Trojan Horse)
* DecodeDivX.exe (detected as Hacktool.DoS)
* nacs.exe (detected as Hacktool)
* DrDivXRegistration.exe (detected as Hacktool.HideWindow.)
* Dr.DivX.exe (mIRC client software. It is detected as IRC.Backdoor.Trojan.)
* DelDivX.exe (Process viewer. This utility is not viral by itself.)
* Divx.exe (Remote execution utility. It is not viral by itself)
* helptoo.txt (Text file that includes username.It is not malicious itself. )
* helpuse.txt (Text file that includes username and password. It is not malicious itself. )
* DivX.ini (Ini file that the Trojan uses to load other IRC scripts. It is not malicious itself. )
Note: %ProgramFiles% is a variable that refers to the path to the program files folder. By default, this is C:\Program Files.
2. Adds the value:
"DivX MediaPlayer 7.0"="%Program Files%\Common Files\OOBE\DivX Player 7.0\Dr.DivX.exe"
to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
so that the Trojan starts when you start or restart Windows.
3. Adds the values:
* "DisplayName"="mIRC"
* "UninstallString"=""%Program Files%\Common Files\OOBE\DivX Player 7.0\Dr.DivX.exe" -uninstall"
to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Uninstall\mIRC
Note: If the mIRC subkey does not exist, the Trojan will create it.
4. Adds the values:
"(Default)" = "c:\program files\common files\oobe\divx player 7.0\dr.divx.exe"
to the following registry keys:
* HKEY_CLASSES_ROOT\ChatFile\DefaultIcon
* HKEY_CLASSES_ROOT\ChatFile\Shell\open\command
* HKEY_LOCAL_MACHINE\Software\Classes\irc\DefaultIcon
* HKEY_LOCAL_MACHINE\Software\Classes\irc\Shell\open\command
so that the IRC file that call c:\program files\common files\oobe\divx player 7.0\dr.divx.exe when chat files are opened.
5. Creates the following subkeys:
* HKEY_CLASSES_ROOT\ChatFile\Shell\open\ddeexec
* HKEY_LOCAL_MACHINE\Software\Classes\irc\Shell\open\ddeexec
6. Runs %Program Files%\Common Files\OOBE\DivX Player 7.0\Dr.DivX.exe in the background.
7. By default, the Trojan allows the hacker to perform any of the following actions:
* Download and execute files.
* Perform Denial of Service (DoS) attacks against predetermined targets.
* Attempt to compromise other machines through open shares or weak passwords.
For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan
For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows
Description:
Backdoor.IRC.Aladinz.G is a backdoor Trojan horse that uses malicious scripts in mIRC client software, allowing unauthorized remote access.
Also Known As: Worm.Win32.Randon.o [Kaspersky]
Type: Trojan Horse
Infection Length: varies
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX
Technical Details:
When Backdoor.IRC.Aladinz.G is executed, it performs the following actions:
1. Creates the folder %Program Files%\Common Files\OOBE\DivX Player 7.0, and drops the following files into the folder:
* sample.bin (detected as Backdoor.Trojan)
* DivXinstall.bat (detected as Trojan Horse)
* DecodeDivX.exe (detected as Hacktool.DoS)
* nacs.exe (detected as Hacktool)
* DrDivXRegistration.exe (detected as Hacktool.HideWindow.)
* Dr.DivX.exe (mIRC client software. It is detected as IRC.Backdoor.Trojan.)
* DelDivX.exe (Process viewer. This utility is not viral by itself.)
* Divx.exe (Remote execution utility. It is not viral by itself)
* helptoo.txt (Text file that includes username.It is not malicious itself. )
* helpuse.txt (Text file that includes username and password. It is not malicious itself. )
* DivX.ini (Ini file that the Trojan uses to load other IRC scripts. It is not malicious itself. )
Note: %ProgramFiles% is a variable that refers to the path to the program files folder. By default, this is C:\Program Files.
2. Adds the value:
"DivX MediaPlayer 7.0"="%Program Files%\Common Files\OOBE\DivX Player 7.0\Dr.DivX.exe"
to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
so that the Trojan starts when you start or restart Windows.
3. Adds the values:
* "DisplayName"="mIRC"
* "UninstallString"=""%Program Files%\Common Files\OOBE\DivX Player 7.0\Dr.DivX.exe" -uninstall"
to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Uninstall\mIRC
Note: If the mIRC subkey does not exist, the Trojan will create it.
4. Adds the values:
"(Default)" = "c:\program files\common files\oobe\divx player 7.0\dr.divx.exe"
to the following registry keys:
* HKEY_CLASSES_ROOT\ChatFile\DefaultIcon
* HKEY_CLASSES_ROOT\ChatFile\Shell\open\command
* HKEY_LOCAL_MACHINE\Software\Classes\irc\DefaultIcon
* HKEY_LOCAL_MACHINE\Software\Classes\irc\Shell\open\command
so that the IRC file that call c:\program files\common files\oobe\divx player 7.0\dr.divx.exe when chat files are opened.
5. Creates the following subkeys:
* HKEY_CLASSES_ROOT\ChatFile\Shell\open\ddeexec
* HKEY_LOCAL_MACHINE\Software\Classes\irc\Shell\open\ddeexec
6. Runs %Program Files%\Common Files\OOBE\DivX Player 7.0\Dr.DivX.exe in the background.
7. By default, the Trojan allows the hacker to perform any of the following actions:
* Download and execute files.
* Perform Denial of Service (DoS) attacks against predetermined targets.
* Attempt to compromise other machines through open shares or weak passwords.
For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan
For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows
Remove WootBot Trojan, description and removal instructions
March 6, 2005, 2:08 pm
Taken from: http://www.2-spyware.com/remove-wootbot-trojan.html
Full name: WootBot Trojan
Type: Trojans
Also known as: Trojan.WootBot, WootBot
Related files: navsys32.exe, svcshost.exe, elite.exe, winssv.exe, lsass2.exe, pomedsrv.exe, winapa.exe, ctfnom.exe, symantec32.exe, syshelper.exe, mqguard.exe
Severity scale: (67 / 100)
WootBot Trojan description: This dangerous parasite is especially dangerous for PC gamers. WootBot tries to steal the CD-keys from various games and send these keys to the specified location. But not only this technique is a potential threat for the user of an infected machine; this parasite also tries to connect to the Internet and download various parasites from there. In case of success, even more problems may occur on the computer.
WootBot Trojan properties:
• Connects itself to the internet
• Hides from the user
• Stays resident in background
WootBot Trojan manual removal:
Kill processes:
navsys32.exe, svcshost.exe, elite.exe, winssv.exe, lsass2.exe, pomedsrv.exe, winapa.exe, ctfnom.exe, symantec32.exe, syshelper.exe, mqguard.exe
Delete files:
navsys32.exe, svcshost.exe, elite.exe, winssv.exe, lsass2.exe, pomedsrv.exe, winapa.exe, ctfnom.exe, symantec32.exe, syshelper.exe, mqguard.exe
For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan
For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows
Full name: WootBot Trojan
Type: Trojans
Also known as: Trojan.WootBot, WootBot
Related files: navsys32.exe, svcshost.exe, elite.exe, winssv.exe, lsass2.exe, pomedsrv.exe, winapa.exe, ctfnom.exe, symantec32.exe, syshelper.exe, mqguard.exe
Severity scale: (67 / 100)
WootBot Trojan description: This dangerous parasite is especially dangerous for PC gamers. WootBot tries to steal the CD-keys from various games and send these keys to the specified location. But not only this technique is a potential threat for the user of an infected machine; this parasite also tries to connect to the Internet and download various parasites from there. In case of success, even more problems may occur on the computer.
WootBot Trojan properties:
• Connects itself to the internet
• Hides from the user
• Stays resident in background
WootBot Trojan manual removal:
Kill processes:
navsys32.exe, svcshost.exe, elite.exe, winssv.exe, lsass2.exe, pomedsrv.exe, winapa.exe, ctfnom.exe, symantec32.exe, syshelper.exe, mqguard.exe
Delete files:
navsys32.exe, svcshost.exe, elite.exe, winssv.exe, lsass2.exe, pomedsrv.exe, winapa.exe, ctfnom.exe, symantec32.exe, syshelper.exe, mqguard.exe
For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan
For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows
Ctfnom.exe definition, relationships, removal
March 6, 2005, 2:04 pm
Taken from: http://www.2-spyware.com/file-ctfnom-exe.html
ctfnom.exe description:
File ctfnom.exe is related to trojan WootBot Trojan.
Files related to ctfnom.exe: navsys32.exe, svcshost.exe, elite.exe, winssv.exe, lsass2.exe, pomedsrv.exe, winapa.exe, symantec32.exe, syshelper.exe, mqguard.exe
File ctfnom.exe removal: WARNING!!! File ctfnom.exe is related to spyware. This is serious violation of your privacy, your system is under security threat.
For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan
For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows
ctfnom.exe description:
File ctfnom.exe is related to trojan WootBot Trojan.
Files related to ctfnom.exe: navsys32.exe, svcshost.exe, elite.exe, winssv.exe, lsass2.exe, pomedsrv.exe, winapa.exe, symantec32.exe, syshelper.exe, mqguard.exe
File ctfnom.exe removal: WARNING!!! File ctfnom.exe is related to spyware. This is serious violation of your privacy, your system is under security threat.
For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan
For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows
W32/Rbot-WX
March 6, 2005, 12:47 pm
Taken from: http://www.sophos.com/virusinfo/analyses/w32rbotwx.html
Desciption:
W32/Rbot-WX is a network worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-WX spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans.
W32/Rbot-WX can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-WX can be instructed by a remote user to perform the following functions:
* start an FTP server
* start a Proxy server
* start a web server
* take part in distributed denial of service (DDoS) attacks
* log keypresses
* capture screen/webcam images
* packet sniffing
* port scanning
* download/execute arbitrary files
* start a remote shell (RLOGIN)
The worm copies itself to a file named lsassx.exe in the Windows system folder and creates the following registry entries:
HKCU\Software\Microsoft\OLE\
Windows Taskmanager=
"lsassx.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Taskmanager=
"lsassx.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows Taskmanager=
"lsassx.exe"
Aliases: Backdoor.Win32.IRCBot.y
Affected operating systems: Microsoft Windows Operating Systems
Side effects::
* Allows others to access the computer
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
To scan your computer for W32/Rbot-WX, please check ARNIT Free Online Virus scanner at http://www.arnit.net/security/tplarnit.php?page=vscan
Desciption:
W32/Rbot-WX is a network worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-WX spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans.
W32/Rbot-WX can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-WX can be instructed by a remote user to perform the following functions:
* start an FTP server
* start a Proxy server
* start a web server
* take part in distributed denial of service (DDoS) attacks
* log keypresses
* capture screen/webcam images
* packet sniffing
* port scanning
* download/execute arbitrary files
* start a remote shell (RLOGIN)
The worm copies itself to a file named lsassx.exe in the Windows system folder and creates the following registry entries:
HKCU\Software\Microsoft\OLE\
Windows Taskmanager=
"lsassx.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Taskmanager=
"lsassx.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows Taskmanager=
"lsassx.exe"
Aliases: Backdoor.Win32.IRCBot.y
Affected operating systems: Microsoft Windows Operating Systems
Side effects::
* Allows others to access the computer
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
To scan your computer for W32/Rbot-WX, please check ARNIT Free Online Virus scanner at http://www.arnit.net/security/tplarnit.php?page=vscan
Page :
1