Subscriptions | RSS Feeds | Discussions | Polls | Site Map




All Threats

Viruses

Hackers

Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog


Malware Environment
Malware Descriptions
Who Creates Malware
History of Malware
Malware Trends
If Your Computer Is Infected

 
Malware Description Search

 

  Home / Viruses / Virus Encyclopedia / Malware Descriptions / Trojan Programs / General Trojans

Trojan.NSIS.Voter.a

Detection added May 26 2007 16:36 GMT
Description added Nov 15 2007
Behavior Trojan

Technical details

This Trojan has a malicious payload. It is a Windows PE EXE file. The Trojan components may vary in size from 17KB to 286KB.

Installation

Once launched, the Trojan extracts a file with the following name from its body to the current user's desktop:

Raila Odinga.gif

and launches it. The user will see the following image:

The Trojan also copies its executable file to the following directory:

%System%\drivers\RailaOdinga.exe

It also extracts the following file from its body:

%Temp%\nswC.tmp\System.dll

In order to ensure that the Trojan is launched automatically each time the system is booted, the Trojan adds a link to its executable file in the system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
@ = "%System%\drivers\RailaOdinga"

The Trojan also creates the following shortcut:

%Documents and Settings%\Start Menu \Programs\Autorun\RailaOdinga.lnk

When this shortcut is run, the Trojan executable file will be launched.

Payload

The Trojan copies its executable file to all removable media under the following name:

<x>:\smss.exe

It also copies the extracted image:

<x>:\Raila Odinga.gif

<x> stands for the letter of the removable disk.

The Trojan creates an autorun.inf file in the root of the removable disk. This file will automatically launch the Trojan executable file when the user attempts to open the infected disk using Explorer.

The Trojan also recursively copies its executable file to all folders on the removable disk. These copies use the names of files which are located in these folders together with an .exe extension.

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Use Task Manager to terminate the Trojan process.
  2. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
  3. Delete the following system registry key parameter:
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    @ = "%System%\drivers\RailaOdinga"
  4. Delete the following files:
    %Temp%\nswC.tmp\System.dll %System%\drivers\RailaOdinga.exe %Documents and Settings%\ Start Menu \Programs\Autorun\RailaOdinga.lnk
  5. Delete the following file from the desktop:
    Raila Odinga.gif
  6. Delete all copies of the Trojan from removable disks.
  7. Delete the autorun.inf file from the root directory of all removable disks.
  8. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
 		 

Copyright © 1996 - 2010
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
 

Email: webmaster@viruslist.com