Trojan Horse Virus

Trojan Horse Viruses

Trojan Horse viruses continue to be some of the most pervasive forms of malware. Consider the vital facts about Trojan Horse viruses and protect your computer from danger.

Trojan Horse viruses do not refer to a single type. It actually refers to a class of malware that can inflict damage on a computer or network of computers. Technically they are not viruses, but their activities lead them to being classified as such.

Variants

These computer threats can be classified by the type of attack or payload. Some of the most common are the following.

The remote access types are those that can disrupt or halt connections to a remote server. Related to this are those that attack servers like proxy, FTP or the HTTP protocol. Other variants reported are those that interrupt services (DoS) and terminates downloads.

Some of the deadliest Trojan Horse viruses are those that destroy data on a hard disk. When the malware activates it will destroy the files on a computer or render it unusable altogether.

It should be stated that some variants cause no harm. However they should still be removed. It could have been setup to wait for a specific user action to be undertaken before it activates.

How They Work

There is no standard way it which these programs operate. This is because they are created by different authors with unique targets. One thing that can be said is that they are all discreet. Whether it uses applets or commands, it will often run in the background without the user being aware. The only time that you realize there are Trojan Horse viruses will be when the payload is delivered.

Methods of Transmission

The most frequent way the program infects a computer is through downloading. When you download a software or game off a website, it could be carrying the program. The malware is activated whenever the software is run. Pirated software is another common source. These applications have been altered by hackers and may contain several types of malware.

Removal and Prevention

The most efficient way of getting rid of these programs (and spyware) is by using up to date antivirus software. Keep them running while you are browsing online. Before installing any application, scan it. Once the antivirus detects some Trojan Horse viruses, the removal process will begin. Keep your antivirus updated at all times as new malware are being created.

You can also use a bootable disk or CD to remove the threat. This may be necessary if the antivirus cannot locate it. In the end though, prevention is still the best way. Perform periodic scans on your computer. Don’t just limit the scan to your documents. Make sure that the Registry and system files are also infection free. These scans can take awhile, so schedule it when your work is finished.

Tech sites offer the latest news on potential computer threats, so read them. Although a lot of these viruses attack major company sites, it’s still better to be safe than sorry.

The threats posed by Trojan Horse viruses cannot be underestimated. Some can totally destroy a network or steal important files. By performing the steps suggested, you can keep your files safe from harm.

Torpig

Torpig is a dangerous Trojan Horse that can destroy valuable data on your PC. Protect your personal files from Torpig by being aware of the vital facts about it.

Torpig is one of the most destructive of all Windows Trojan Horses. Not only does it steal and destroy files, it can also install malware. The following sections describe the damage it can cause and how it can be stopped.

Vulnerable Software

The program is known to affect all major versions of Windows from 95 to XP. It is uncertain if a strain has been developed to run on Vista as well. As a Trojan Horse it can be installed in a computer from an infected software.

Effects on Computers

This malware is very destructive. The reason is that unlike other Trojans, the Torpig payload can affect several components of a computer. It can deactivate the antivirus software in your system. When this happens, it will be able to download more malware that can wreck havoc on the computer.

Like other Trojans it can delete files. However it goes further than that. A remote user can infiltrate the operating system and steal files or change settings. In short, when this program is active, the computer can be run by another user somewhere else. One of the ways in which information is transferred is via a log of the keyboard commands you use. The data is logged and sent out via HTTP. The remote user can then manipulate the system.

Its capacity to steal information that has made the Torpig notorious though. A report by the BBC stated that half a million online credit / bank accounts have been stolen using this program.

Removal and Prevention

If the program is in your system, use a virus scanner to remove it. If the antivirus has been disabled, follow these steps.

Go to the Start Menu and select “Run”.

Type “regedit” and click OK.

When the Registry Editor opens, select “Export Registry”; choose all in the range. This will be your Registry backup. In case anything goes wrong, put this back and restart the computer.

Every user of Windows is indicated by a number, so this process has to be repeated for every one of them. Look for something like this:

HKU\[code number]\Software\Microsoft\Windows\CurrentVersion\Run\explorer\service\explorer.exe

Delete it. Close the editor and restart the computer. If the problem persists, proceed to the next step.

Check if the following files exist. If they do, remove them to completely eliminate Torpig.

HKCU\Software\Microsoft\Windows\CurrentVersion\pwd

HKCU\Software\Microsoft\Windows\CurrentVersion\gnum

HKCU\Software\Microsoft\Windows\CurrentVersion\myID2

Also check Windows Explorer and delete the following:

\service\dll.dll

\service\dllp.txt

\service\explorer.exe

To keep this malware from entering your system in the first place, do not download software or games from unknown websites. You should also avoid opening any attachments that end with an .exe.

Finally, schedule a full time scan once a month. If you don’t scan regularly, you may not realize that the program is already in your system until it is too late. By checking on a consistent basis, you can assess the situation more easily.

Torpig can cause a lot of trouble but if you take the proper precaution this can be prevented. By taking these steps you lessen the chances of being infected.

Rustock.C

Rustock.C is a Trojan that has affected thousands of computers worldwide. Assimilate vital details about Rustock.C and avoid becoming a victim.

The Rustock.C is one of the hardest Trojans to detect and decipher. It can cause a lot of problems from spamming to deleting files. The proceeding information will help you understand facts about this program.

How the Malware Works

This program affects computers running Windows operating systems. When it gets inside a system, it will install files with names like glaide32.sys and null.sys. It may also replace beep.sys with a corrupted version.

The Trojan will add the following files to the Windows Registry:

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
ImagePath
%fystemRoot%\system32\svchost.exe -k netsvcs
HKLM\SYSTEM\CurrentControlSet\Services\BITS
ImagePath
%fystemRoot%\System32\svchost.exe -k netsvcs

The key words there are “fystemRoot”, which overwrites the original “SystemRoot”.

It has also been reported that the program installs a file or files in the temp folder in Windows. It may also create several files with the extension .sys in the Windows\System folder.

Effects on Computers

The Rustock.C Trojan goes after several drivers. Specifically it goes after the files in the Windows\Sytem32\Drivers folder. The Trojan also bypasses firewalls. Another reason why this malware is so hard to remove is because it targets the basic Microsoft drivers.

Instead of eliminating drivers, it merges with those in the boot and system sector. Among the files it attacks are fastfat.sys, and ntfs.sys. It also has the ability to move from one system driver to another.

These drivers are integral to running your system and by altering them the malware can wreck havoc on your system. Everything from slowdown, error messages and software problems will emerge. It can also affect your Internet connection. The malware connects to remote servers and floods your email with spam.

It should be stated that Rustock.C affects computers in different ways. Some report that the malware downloads other dangerous programs into the system. There are some that filter and seize control of other functions like graphics and the communication in subsystems. It is also built to withstand debugging. It also manipulates the different processes associated with the kernel mode.

How it Performs Spamming

Analysis of the malware revealed some variants in existence. They are named C1, C2, C3 and C4. They differ slightly in size (from 150,000 to 250,000 bytes). The biggest difference between the variants are the DLL codes used for spamming. Based on the information obtained by experts the DLL implants itself in the system memory.

Once in place the Rustock.C fuses it with the winlogon.exe file. It connects to a remote server and obtains spam. This will then be distributed to several computers. Unlike other malware, the file is embedded in RAM, not the hard disk.

Removal and Prevention

If your system is already infected perform a full scan. Do not backup files now. Wait until the antivirus has removed all traces of it. Restart the PC and check the different applications. Some would recommend that you reinstall the Windows\system32\drivers with the ones from your CD. If you are running Windows Vista, upgrade to x32 SP1.

As with other Trojans, viruses and other malware the key to stopping Rustock.C is by practicing safe computing. Upgrade PC software and do virus scans frequently and you won’t have troubles.

Mocmex

The Mocmex Trojan can cause serious system damage or loss of vital information. Evaluate the critical facts about Mocmex and secure your system from any threats by this virus.

Mocmex is a virus / malware that can obtain passwords and other important files on your computer. It is one of the most lethal Trojan Horses around so you need to keep your system well protected.

How the Virus Works and Spreads

This virus is noteworthy for being the first one located on digital photo frames. Once the malware is in your system and you play an online game, it springs to action. It will look for and disable firewalls and other protective devices. Subsequently it will connect to the Net and download updates or other malware.

Another problem posed by the Mocmex is it can attach itself to removable drives / storage. When a CD or any other removable drive is connected to the infected computer, it will put a copy on the portable drive.

The malware also places a duplicate in the Windows/Program Files folder. Some names used include the following:

%Program Files%\.inf
%Program Files%\cfkbyse.inf
%Program Files%\Common Files\Microsoft Shared\vnwpbns.exe

Effects on Computers

Once the file is in a drive, it creates a random name for itself. It may also use the “hide” feature to make itself discreet. It generates a worm into the Windows Registry:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\Debugger value = “%Program Files%\Common Files\Microsoft Shared\”

This allows Mocmex to disable security features on PCs and networks. It will also attempt to delete or disable several critical system files. These include ArSwp.exe, autoruns.exe, FYFireWall.exe and others. Generally the files it targets are those involving security, firewall and systems configuration. The following files are also disabled if found: SharedAccess, wscsvc, helpsvc and wuauserv.

Removal and Prevention

The most effective protection is to install a reliable antivirus software before getting any signs of the malware. Although most programs can detect the virus afterwards, it is better if you install it before sensing any sign of Mocmex. If you detect sudden system slowdowns or unusual software behavior, perform a full scan. If the virus is detected choose delete when asked by the antivirus what you want to do.

Your antivirus program will be useless if it is not updated. If you don’t want to pay the subscription fee, download a free antivirus program. These also offer effective protection without cost.

Some viruses can be removed manually through manipulation of the Windows Registry keys. In this case that is not recommended. First of all most programs can delete it automatically. Second, the malware plants itself in many folders. Hunting down each one is impractical. You could end up deleting the wrong file and make things worse.

Another thing you can do is disable autorun in Windows. Right click the CD icon in My Computer and choose properties. Enable “prompt me for what action to take” on all removable drives.

Like other Trojans, Mocmex can wreck havoc and spread quickly. But the protective steps are easy to do. If you keep away from suspicious software and scan consistently, you won’t get this virus. Even if you do, removing it will be easy.

MacSweeper

MacSweeper is a potentially dangerous program that can inflict damage on your Mac system. Evaluate the facts about MacSweeper and take the steps for protecting your files.

MacSweeper isn’t really a virus or worm but it can be as lethal. Basically what it does is misinform the user, stating that there are viruses in the system when there are none. To detect and eliminate this threat you should be aware of the vital facts.

How the Program is installed

When a computer user downloads a program at the KIVVI website, the application is installed without their knowledge. Subsequently it will check the software in the system. It will then inform the user that some of these applications are dangerous or contain spyware. It will recommend their deletion. When one tries to remove the said programs a message will appear stating MacSweeper is a trial version and cannot do the job.

To successfully eliminate the threat financial information must be handed out in exchange for the serial key worth about $40. Losing personal information is only one problem. The other is if the user persists in removing the “spyware infected” application by force, system errors might emerge.

It is unclear as to whether one will actually get a key when payment is made. Even if that were the case there are still problems. One of them is that there is no guarantee that the program will work when the key arrives.

Removal and Prevention

Most of the antivirus software developers have released fixes to combat the rogue application. If you update your spyware / antivirus program the threat will be identified and removed. To be certain run the scanner in full or thorough mode. Among the vendors that can remove it are Symantec, Intego VirusBarrier and Sunbelt Software. To remove them effectively you should check each website.

This will take longer, but it ensures that there will be no traces left in your computer. Most Apple applications have uninstallers included. There are also third party vendors that sell software removers. Be sure to download only from well known sites. Although the files in reputable sites are scanned before being uploaded, you should still check them for infection. When you download a program, run a scan prior to installation.

Of course the best way to avoid the problem is to steer clear of the website http://www.macsweeper.com. Currently the site is disabled. However, the KIVVI software site is still around. It has also released a statement on its website claiming that the program is not a spyware.

The threat posed by this program cannot be taken lightly. To some it seems nothing more than an annoyance. However it is best to take the necessary precautions.

Other Information

This rogue application is said to be the first one for the Macintosh. It was uncovered on 17 January 2008.

KIVVI software publishes a similar looking program for Windows called Cleanator. If you are running the Windows operating system, you should remove this program as well. Its potential for damage is unclear but it is best to remove them.

The Macintosh has long been considered virus free. The presence of an application like MacSweeper, however, shows that one can never be too sure. By taking precautions, you will avoid loss of data.

Koobface

The Koobface virus can infect social networking sites, leading to data loss. Uncover the ways of removing the Koobface virus and keep your home page worm and virus free.

If you own an account in sites like Facebook and MySpace, you should be aware of how the Koobface virus works. This knowledge will help keep your site and personal information safe.

How the Virus Spreads

A user on Facebook will get a message. The headers vary, but the most popular ones include the following:

You must see it!!! LOL.
Paris Hilton Tosses Dwarf On The Street
Funny Moments
You look so amazing funny on our new video

The message will take you to a site that supposedly offers an Adobe Flash upgrade or player. In reality it is the virus. Once it has been downloaded, the virus takes over your web browsing. Every time you use search engines like Google, MSN, Live and Yahoo you’ll get nothing but infected sites.

There are currently two variants known as Net-Worm.Win32.Koobface.a and b. The former goes after MySpace while the latter infects Facebook users. Its effect seems limited to systems running Microsoft Windows.

Effects on Computers

The main objective of the virus is to infect your friends’ accounts as well. It will install inyproxy.exe, which tracks the “friends” database on your system. Subsequently it sends a similar message with a link to the virus to your friends. In some cases it can hijack your connection. Instead of getting to Google for example, you’ll be taken somewhere else.

The damage that it can cause varies. Apart from misdirecting your Web searches, some report hard disk files disappearing or being deleted.

Removal and Prevention

The best way to remove Koobface is to delete any messages you get with the above mentioned headers. If the header you get is different but seems unusual, inquire from your friend if that message really came from them.

If you have antivirus software, run it. If your antivirus software is up to date it will detect and automatically remove the virus. Even free antivirus software can get rid of it. If you would rather remove it manually you can do so. However it is more complicated and requires editing the Registry. As always, backup this files before making any changes.

First right click the Start Menu and click search. Type “Koobface”. When the file appears, delete it. Now press shift, ctrl and esc to bring up the Task Manager. If there are any files bearing the worm’s name in the processes tab, choose “End Process”.

To remove it from the Registry, type “regedit” in the Run command line. You can also type “regedit.exe” in the search box. Choose Edit and “find”. Delete the following files.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run\”systray” = “C:\Windows\fbtre6.exe”

HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating

To delete its dll files, choose run from the Start Menu. Type “cmd” and press enter. When you find the file, delete in the following manner. Type “regsvr32 /u SampleDLLName.dll”.

As stated earlier, it is best to use an antivirus to get rid of the virus easily. But even better is to maintain good computing habits. Do not open any messages that look suspicious. This is especially true if you are new to social networking. Because the virus is mutating, it pays to be informed about the facts as they appear.

The best way to keep potential threats like Koobface away is by using a combination of good antivirus software and common sense. If you take the appropriate steps you won’t have to worry about a thing.

Conficker

Conficker is one of the most widespread computer worms in the world today. By understanding how Conficker works and the measures against it, protecting your computer will be easier.

The Conficker has become the most widespread computer worm affecting systems running Windows. Because it is so prevalent, you should be aware of the damage it can cause. You should also know how to remove it if your system is infected by one of its variants.

Types

One of the reasons why this computer worm is so difficult to detect is its speed of mutation and utilization of various techniques. It uses different ways of infiltrating computer systems, making elimination doubly hard. Currently there are five variants known.

Variant A affects the NetBIOS. Variant B also affects the NetBIOS and targets CD and other removable storage devices. It also creates a DLL file that connects itself to the removable drive. Version C of Conficker is similar to B. It also updates itself by connecting to several URLs. The same can be said for variants D and E.

The worm is also capable of launching itself at boot up. This is made possible because it stores a copy of itself in the system folder. In addition it also embeds a copy in the Registry keys.

Effects on Computers

The exact aim of the worm is not yet clear. But the symptoms itself cause harm in network systems. One of the most common effects is the termination of certain functions of Windows.

These include Windows Error Reporting and disabling the BTS (Background Intelligent Transfer Service). Other symptoms are a general slowdown of client / server processes. The Conficker worm also shuts down user accounts and makes it impossible to go to antivirus sites.

Other elements in the network that get affected are the regulations on account usage and privileges, which get reset. Trying to get updates of the Windows operating system is also made impossible. The end result of all this is that users and administrators will get locked out.

According to reports the worm infected several computers in the Defense Ministry in the UK. Over one hundred computers in the German military were also infected. Other countries all over the world were also affected.

Propagation

The variants duplicate in different ways. Variant A connects via HTTP to any of several hundred domain names to get updates. Variant B also has its own generator for getting domain names. Version C utilizes a named pipe to set back URLs and contaminate other computers over a LAN. Variants D and E of Conficker make use of a peer to peer network. It is also known to affect TCP. Currently, their structure is still being analyzed.

Removal and Prevention

All the major antivirus software companies have released updates to eliminate this worm. Microsoft also releases updates to protect the OS. For this reason it is important to keep both antivirus and your operating system updated. Get the service packs and patches as soon as possible. You should also be careful about downloading any files from the Net. Always scan it.

If you are an administrator performing checks and system upgrades is a must. If your antivirus program is subscription based, do not allow it to expire.

The Conficker can cripple a network. However you can arm yourself by backing up all your important files and running a virus scanner. This will save you a lot of potential trouble.

Bohmini.A

A system with the Bohmini.A Trojan can become unstable and lead to serous problems. Understand the ways Bohmini.A operates and prevent it from entering your system.

Bohmini.A is a dangerous Trojan that affects standalone and linked computers. To keep your files and documents safe knowing basic facts is of paramount importance.

Programs and Websites Affected

This malware is known to infiltrate Internet Explorer 7.0 in particular when Adobe Flash 9.0.115 is used. The security leaks in Windows XP SP2 also make Firefox 2 vulnerable. The number of websites currently afflicted by this malware is uncertain. It is believed to have spread by way of social networking sites like Facebook.

Behavior and Characteristics

As with other Trojans and viruses, the Bohmini.A has undergone several changes. It should be noted that while it cannot replicate, it can update itself whenever the user is online. What these updates do depend on the variant, but some allow it to fight off removal attempts. One of the ways it which the program hides itself is by using unique names.

Some of the aliases it uses are the following: Mal/HckPk-A, Trojan.Skintrim, Packed.Generic.198 and Generic.dx. It is also known to produce executable files. The names are random but usually composed of 8 character names. These would be in the System32 folder of Windows. Names might look like 2B0E7jhj.ex or 68S3ynp7.exe.

Effects on Computer Systems

The updates make a consistent assessment of its effect difficult. One of the most common though is using up memory processes. When a system suddenly slows down, it could be due to the presence of Bohmini.A. Apart from slowing down your PC, it can cause damage in other ways. The most lethal versions execute commands in the system files. Depending on the script, it can result in distorted Web connection to altering the Windows Registry.

Once it is in place, the program will create entries on the hour. The malware will integrate itself into the running processes. Subsequently it will start to delete files. Those that are passed through the command line are most likely to be targeted. The other danger posed by the Bohmini.A is data transmission. At the very least it can relay to a remote server technical information about the computer. This can range from disk serial numbers to the OS being used.

Removal and Prevention

The best protection against this threat is to install an antivirus software. Run a scan to see if it is infected. The process of removal can then be done automatically. In most cases the only choice you will make is whether to delete the file or isolate it (quarantine).

In some cases though, getting rid of the Trojan may require manual work. If you have run the antivirus program but the system is still showing symptoms go to Task Scheduler (in XP). Get rid of files that start with At1 up to At24. Look for copies of the program in the Windows/System32 folder as well. If you still cannot remove it, use a boot disk or run Windows in Safe Mode.

Although the Bohmini.A isn’t as dangerous as other Trojans, the updates can make it more deadly. By taking the necessary precautions, any threats to your computer can and will be eliminated.