English
Log in
Search
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

HomeDescriptionsTrojan.Java.Payphish.a

Trojan.Java.Payphish.a

Detected Jan 19 2009 07:11 GMT
Released Jan 19 2009 11:02 GMT
Published May 19 2010 11:26 GMT

Technical Details
Payload
Removal instructions

Technical Details

This program is a Trojan. It contains several modules. The files detected are Java class files and web pages (html files). Its components can be from 676 to 2139 bytes in size.


Payload

When the infected page is opened, Java class code starts to run, which leads to the following actions:

  • The following file is created and launched: 
    Ñ:\Windows\pay.reg
    This causes a change in the following system registry key value to: 
    [HKCU\Software\Microsoft\Internet Explorer\PhishingFilter]
"Enabled"="00000001"
    Internet Explorer's phishing filter is thereby disabled.
  • Internet Explorer is launched and the following link opens in its window: 
    http://www.mps****/~isara/payment_cancel_websc_4535/webscrcmd=_login-submit_main=0000.html
At the time of writing, this link was inactive. The Trojan then ceases running.


Removal instructions

If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:

  1. Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
  2. Delete the following file: 
    Ñ:\Windows\pay.reg
  3. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).



Print
Bookmark and Share
Share
Trojans
Trojan

This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.

This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.


Aliases

Trojan.Java.Payphish.a (Kaspersky Lab) is also known as:

  • Trojan:Java/Rexec.A (MS(OneCare))
  • Java/Rexec.A trojan (Nod32)
  • Other:Malware-gen (AVAST)
  • Trojan.Java.Payphish (Ikarus)
  • Java/Agent.AI (AVG)
  • TR/Java.PayPhish.A (AVIRA)
  • Trojan.Gen (NAV)
  • NseCheckFile2() returned 0x00010018 (Norman)
  • JS_EXEC.WKLA (TrendMicro)

© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.

kaspersky.com

Products

eStore

Threats

Downloads

Support

Partners

About Us

Search

securelist.com

Threats

Analysis

Blog

Descriptions

Glossary

RSS feeds

Contacts

Search