My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.Spy.Wsnpoem.HA

MEDIUM
MEDIUM
57856

Symptoms

- the presence of file: ntos.exe in %WINDIR%\system32\ folder or C:\Documents and settings\%username%\Application Data\.
- the presence of the following registry key:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
userinit="%WINDIR%\system32\userinit.exe,%WINDIR%\system32\ntos.exe"
or
userinit="%WINDIR%\system32\userinit.exe,C:\Documents and settings\%username%\Application Data\ntos.exe"

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Alexandru Maximciuc, virus researcher

Technical Description:

At execution this malware is a trojan that copies itself in %WINDIR%\system32\ntos.exe (or C:\Documents and settings\%username%\Application Data\) and he will create a registry key in order to make sure it will be executed after every reboot.
He will inject in svchost.exe and winlogon.exe and he can provide backdoor and proxy server capabilities.