SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.Spy.Wsnpoem.HA

MEDIUM
MEDIUM
57856
()

Symptoms

- the presence of file: ntos.exe in %WINDIR%\system32\ folder or C:\Documents and settings\%username%\Application Data\.
- the presence of the following registry key:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
userinit="%WINDIR%\system32\userinit.exe,%WINDIR%\system32\ntos.exe"
or
userinit="%WINDIR%\system32\userinit.exe,C:\Documents and settings\%username%\Application Data\ntos.exe"

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Alexandru Maximciuc, virus researcher

Technical Description:

At execution this malware is a trojan that copies itself in %WINDIR%\system32\ntos.exe (or C:\Documents and settings\%username%\Application Data\) and he will create a registry key in order to make sure it will be executed after every reboot.
He will inject in svchost.exe and winlogon.exe and he can provide backdoor and proxy server capabilities.
Antivirus Software For Home Users
Business Security Solutions
Latest News
Tools & Resources