Internet threat level: 1
Home→Descriptions→Trojan.Win32.Vilsel.ato
Trojan.Win32.Vilsel.ato
| Detected | Sep 10 2009 18:22 GMT |
| Released | Sep 10 2009 22:35 GMT |
| Published | Jul 02 2010 07:27 GMT |
Payload
Removal instructions
Technical Details
This Trojan is designed to install and launch other malicious programs on the victim machine without the user’s knowledge or consent. It is a Windows PE EXE file. It is 1083904 bytes in size. It is packed by an unknown packer, with an unpacked size of approximately 2600 KB.
Payload
Disables the system firewall, changing the value of the following registry key:
AvSynMgr naPrdMgr vshwin32 McShield mcshield Mcdetect mcagent mcdash mcvsshld mcvsescn mctskshd MpfService mcvs opscan ccapp norton SAVScan ccApp ccEvtMgr ISSVC SBServ symlcsvc SPBBCSvc nod32krn navapsvc nava nisum nisserv navwnt AvpM avpm klswd kav kavsc avp. AVGUARD avguard AVGNT avgnt sched pavsrv51 AVENGINE PNMSRV PsImSvc SRVLOAD APVXDWIN PavFnSvr TPSrv Inicio pavcl ntrtscan OfcPfwSvc PccNTMon pccntupd PNTIOMON schupd scan fprot avwin ave32 isafe tmntsrv fsav32 avkwctl ashServ dvpapi |
tsc webtrap TMOAgent TeaTimer sdhelper Spybot spybot MSASCui guard ewido avgas avgemc gcas sunas spys ActiveDetection blackd fsdfwd smc zlclient persfw efpeadm fsguiexe kpf4gui pccpfw msscli Tmas swdoctor spyc ccsetmgr ctagent vsmon webscan dbgmgr avp32 bdss xcommsvr avgamsvr avfwsvc avgupsvc nvcpl zonealarm zlclient scan virus firewall protect secure optimize nod32 mpf agent drweb alert avscan kpf4 msblast cfp zapro zonea ave32 avp. _av |
http://fc.web********.de/as_noscript.php?name=load3The program downloads a file from the following link:
http://fc.web********.de/as_noscript.php?name=rnThe downloaded file is then saved as follows:
%Temp%\<rnd>.tmpwhere <rnd> is one of the following variants:
prun rasesnet wavvsnet winvsnet xpreAfter it has been successfully downloaded it is executed and the Trojan clears the history of links in Internet Explorer and completes its operation.
Removal instructions
If your computer does not have an up-to-date antivirus program, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Use Task Manager to terminate the malicious program’s process.
- Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
- Empty the temporary directory %Temp%.
- Restore system Firewall settings
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.
This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.
Trojan.
- Trojan:
Generic Downloader. q (McAfee) - Mal/Generic-A (Sophos)
- Generic Malware (Panda)
- a variant of Win32/TrojanDownloader.
Agent trojan (Nod32) - Trojan.
Generic. 1274872 (BitDef7) - Adware.
Clicker. BA (VirusBuster) - Win32:
Rootkit-gen [Rtk] (AVAST) - Trojan-Downloader.
Agent (Ikarus) - Downloader.
Generic8. LGN (AVG) - ADSPY/Clicker.
DL (AVIRA) - Trojan.
Dropper (NAV) - W32/DLoader.
QEUN (Norman) - TROJ_DROPPER.
FVK (TrendMicro)
© 1997-2010 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.