| Detection added |
Jun 25 2007 22:02 GMT |
| Update released |
Jun 25 2007 23:35 GMT |
| Description added |
Jul 11 2007 |
| Behavior |
TrojanDownloader |
This Trojan is a Windows PE EXE file. It is 41,472 bytes in size.
Installation
When installing, the Trojan copies its executable file to the Windows system
directory:
%System%\ntos.exe
In order to ensure that the Trojan is launched automatically when the system
is rebooted, the Trojan adds a link to its executable file in the system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"userinit" = "%System%\ntos.exe"
The Trojan tracks user activity in Internet Explorer.
If https://onlineeast.bankofamerica.com is opened/ used, the Trojan will periodically take screenshots of the
user's desktop and upload them to the remote malicious user's FTP server.
If your computer does not have an up-to-date antivirus, or does not have an
antivirus solution at all, follow the instructions below to delete the malicious
program:
- Use Task
Manager to terminate the Trojan process.
- Delete the original Trojan file (the location will depend on
how the program originally penetrated the victim machine).
- Delete the following parameter from the system registry (see
What
is a system registry and how do I use it for details on how to edit the registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"userinit" = "%System%\ntos.exe"
- Delete the following file:
%System%\ntos.exe
- Update your antivirus databases and perform a full scan of the
computer (download a trial version of Kaspersky Anti-Virus).
