Trojan.Spy.Wsnpoem.HA
SYMPTOMS: - the presence of file: ntos.exe in %WINDIR%\system32\ folder or C:\Documents and settings\%username%\Application Data\.- the presence of the following registry key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon userinit="%WINDIR%\system32\userinit.exe,%WINDIR%\system32\ntos.exe" or userinit="%WINDIR%\system32\userinit.exe,C:\Documents and settings\%username%\Application Data\ntos.exe" TECHNICAL DESCRIPTION: At execution this malware is a trojan that copies itself in %WINDIR%\system32\ntos.exe (or C:\Documents and settings\%username%\Application Data\) and he will create a registry key in order to make sure it will be executed after every reboot.He will inject in svchost.exe and winlogon.exe and he can provide backdoor and proxy server capabilities. Removal instructions: Please let BitDefender disinfect your files.ANALYZED BY: Alexandru Maximciuc, virus researcher |
