English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Trojan.Win32.Scar.dgje

Detected Dec 04 2010 12:24 GMT
Released Dec 04 2010 23:09 GMT
Published Sep 09 2011 09:54 GMT

Technical Details
Payload
Removal instructions

Technical Details

A trojan program. It is a Windows application (PE-EXE file). 742912 bytes. Packed by an unknown packer. Unpacked size – around 788 kB. Written in Delphi.

Installation

When launching, the trojan copies its executable file under the following name:

%AppData%\msuwarn\<Original_Filename>
Where <Original_Filename> is the original name of the trojan file.

So that it may be automatically launched each time the system is started, the trojan adds a link to its executable file in the system registry startup key:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"msuwarn"="%AppData%\msuwarn\<Original_Filename>"
The trojan also periodically checks for this registry key and restores it if it has been deleted.


Payload

The trojan deletes the following registry branch and all of the keys within it. This means that the OS cannot be loaded in "Safe mode":

[HKLM\System\ControlSet001\Control\SafeBoot]
The trojan retrieves two files from its body and saves these under the following names before launching them:
%AppData%\msuwarn\sdata.dll
This file is 69632 bytes and is detected by Kaspersky Antivirus as Trojan.Win32.Agent2.cosd.
%Temp%\msuwarn.exe
This file is 69632 bytes and is detected by Kaspersky Antivirus as Trojan.Win32.Pasmu.gv. When launched, this trojan program steals the logins, passwords, and other access data to various services from the following programs:
WS FTP
CuteFTP
Total Commander
FileZilla
FTP Commander
Mozilla Thunderbird
The Bat!
Pidgin
ICQ
QIP
Miranda
This trojan program also steals data from the following files:
%WinDir%\VD3User.dat
%WinDir%\Vd3main.dat
%WinDir%\win.ini
%UserProfile%\My Documents\*.rdp
The trojan may transfer the collected data to the attacker through HTTP-requests to the following resource:
v***erm.freehostia.com
The trojan carries out network communication with the following hosts:
p***ergi.dk
k***sse.ru
s-***isa.ru
e***a.ru
0***5d30.freehostia.com
a***2ec.110mb.com
8***808.x10hosting.com
c***0abb.awardspace.com
b***5413.exofire.net
b***e135.hostei.com
0***c269.orgfree.com
d***f5ac1.h18.ru
7***d80e.eu.pn
The trojan may also download files from the following links:
http://83.***.208.173/data/setx.txt
http://89.***.66.31/setx.txt
http://216.***.199.76/setx.txt
http://208.***.240.35/setx.txt
http://69.***.6.102/setx.txt
http://69.***.6.102/setx.txt
http://31.***.160.249/setx.txt
These links did not work when creating the description.


Removal instructions

If your computer has not been protected by antivirus software and is infected by a trojan program, you need to use Kaspersky Antivirus to delete it: run a full scan of the computer with Kaspersky Antivirus with updated antivirus databases (download trial version).


Bookmark and Share
Share
Trojan

This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.

This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.