Updated: February 13, 2007 12:17:46 PM Type: Trojan Horse Systems Affected: Windows 2000, Windows 95, Windows

9 , Windows Me, Windows !T, Windows "er#er 2003, Windows $P

"y%an&e' an&i#irus (ro)ra%s use Trojan *orse as a )eneri' de&e'&ion w*en de&e'&in) %any indi#idua+ bu& #aried Trojan *orse (ro)ra%s ,or w*i'* s(e'i,i' de,ini&ions *a#e no& been 'rea&ed-

.n &*ese 'ases, a )eneri' de&e'&ion is used be'ause i& (ro&e'&s a)ains& %any Trojans &*a& s*are si%i+ar '*ara'&eris&i's-

., a %a+i'ious (ro)ra% does no& in,e'& o&*er ,i+es and does no& au&o%a&i'a++y dis&ribu&e i&se+,, &*e (ro)ra% is usua++y +abe+ed a Trojan *orse- For addi&iona+ in,or%a&ion, see &*e ,o++owin):

W*a& is &*e di,,eren'e be&ween #iruses, wor%s, and Trojans/ 0irus na%in) 'on#en&ions

Recommendations
"y%an&e' "e'uri&y 1es(onse en'oura)es a++ users and ad%inis&ra&ors &o ad*ere &o &*e ,o++owin) basi' se'uri&y 2bes& (ra'&i'es2:

Turn o,, and re%o#e unneeded ser#i'es- 3y de,au+&, %any o(era&in) sys&e%s ins&a++ au4i+iary ser#i'es &*a& are no& 'ri&i'a+, su'* as an FTP ser#er, &e+ne&, and a Web ser#er- T*ese ser#i'es are a#enues o, a&&a'5- ., &*ey are re%o#ed, b+ended &*rea&s *a#e +ess a#enues o, a&&a'5 and you *a#e ,ewer ser#i'es &o %ain&ain &*rou)* (a&'* u(da&es-

., a b+ended &*rea& e4(+oi&s one or %ore ne&wor5 ser#i'es, disab+e, or b+o'5 a''ess &o, &*ose ser#i'es un&i+ a (a&'* is a((+ied6+ways 5ee( your (a&'* +e#e+s u(7&o7da&e, es(e'ia++y on 'o%(u&ers &*a& *os& (ub+i' ser#i'es and are a''essib+e &*rou)* &*e ,irewa++, su'* as HTTP, FTP, %ai+, and 8!" ser#i'es 9,or e4a%(+e, a++ Windows7based 'o%(u&ers s*ou+d *a#e &*e 'urren& "er#i'e Pa'5 ins&a++ed-:- 6ddi&iona++y, (+ease a((+y any se'uri&y u(da&es &*a& are %en&ioned in &*is wri&eu(, in &rus&ed "e'uri&y 3u++e&ins, or on #endor Web si&es-

;n,or'e a (assword (o+i'y- <o%(+e4 (asswords %a5e i& di,,i'u+& &o 'ra'5 (assword ,i+es on 'o%(ro%ised 'o%(u&ers- T*is *e+(s &o (re#en& or +i%i& da%a)e w*en a 'o%(u&er is 'o%(ro%ised<on,i)ure your e%ai+ ser#er &o b+o'5 or re%o#e e%ai+ &*a& 'on&ains ,i+e a&&a'*%en&s &*a& are 'o%%on+y used &o s(read #iruses, su'* as -#bs, -ba&, -e4e, -(i, and -s'r ,i+es.so+a&e in,e'&ed 'o%(u&ers =ui'5+y &o (re#en& ,ur&*er 'o%(ro%isin) your or)ani>a&ion- Per,or% a ,orensi' ana+ysis and res&ore &*e 'o%(u&ers usin) &rus&ed %ediaTrain e%(+oyees no& &o o(en a&&a'*%en&s un+ess &*ey are e4(e'&in) &*e%- 6+so, do no& e4e'u&e so,&ware &*a& is down+oaded ,ro% &*e .n&erne& un+ess i& *as been s'anned ,or #iruses- "i%(+y #isi&in) a 'o%(ro%ised Web si&e 'an 'ause in,e'&ion i, 'er&ain browser #u+nerabi+i&ies are no& (a&'*ed-

Removal Summary

Updated: February 13, 2007 12:17:46 PM Type: Trojan Horse Systems Affected: Windows 2000, Windows 95, Windows 9 , Windows Me, Windows !T, Windows "er#er 2003, Windows $P

T*e ,o++owin) ins&ru'&ions (er&ain &o a++ 'urren& and re'en& "y%an&e' an&i#irus (rodu'&s, in'+udin) &*e "y%an&e' 6n&i0irus and !or&on 6n&i0irus (rodu'& +ines1- 8isab+e "ys&e% 1es&ore 9Windows Me?$P:2- @(da&e &*e #irus de,ini&ions3- 1un a ,u++ sys&e% s'an and de+e&e a++ &*e ,i+es de&e'&ed4- 8e+e&e any #a+ues added &o &*e re)is&ry5- ;di& &*e Win-ini ,i+e6- ;di& &*e "ys&e%-ini ,i+e7- <+ear &*e Te%(orary .n&erne& Fi+es ,o+der-

For s(e'i,i' de&ai+s on ea'* o, &*ese s&e(s, read &*e ,o++owin) ins&ru'&ions-

1. To disable System Restore (Windows Me/ !" ., you are runnin) Windows Me or Windows $P, we re'o%%end &*a& you &e%(orari+y &urn o,, "ys&e% 1es&ore- Windows Me?$P uses &*is ,ea&ure, w*i'* is enab+ed by de,au+&, &o res&ore &*e ,i+es on your 'o%(u&er in 'ase &*ey be'o%e da%a)ed., a #irus, wor%, or Trojan in,e'&s a 'o%(u&er, "ys&e% 1es&ore %ay ba'5 u( &*e #irus, wor%, or Trojan on &*e 'o%(u&er-

Windows (re#en&s ou&side (ro)ra%s, in'+udin) an&i#irus (ro)ra%s, ,ro% %odi,yin) "ys&e% 1es&ore- T*ere,ore, an&i#irus (ro)ra%s or &oo+s 'anno& re%o#e &*rea&s in &*e "ys&e% 1es&ore ,o+der- 6s a resu+&, "ys&e% 1es&ore *as &*e (o&en&ia+ o, res&orin) an in,e'&ed ,i+e on your 'o%(u&er, e#en a,&er you *a#e '+eaned &*e in,e'&ed ,i+es ,ro% a++ &*e o&*er +o'a&ions-

6+so, a #irus s'an %ay de&e'& a &*rea& in &*e "ys&e% 1es&ore ,o+der e#en &*ou)* you *a#e re%o#ed &*e &*rea&-

For ins&ru'&ions on *ow &o &urn o,, "ys&e% 1es&ore, read your Windows do'u%en&a&ion, or one o, &*e ,o++owin) ar&i'+es:

How &o disab+e or enab+e Windows Me "ys&e% 1es&ore How &o &urn o,, or &urn on Windows $P "ys&e% 1es&ore

#ote: W*en you are 'o%(+e&e+y ,inis*ed wi&* &*e re%o#a+ (ro'edure and are sa&is,ied &*a& &*e &*rea& *as been re%o#ed, reenab+e "ys&e% 1es&ore by ,o++owin) &*e ins&ru'&ions in &*e a,ore%en&ioned do'u%en&s-

For addi&iona+ in,or%a&ion, and an a+&erna&i#e &o disab+in) Windows Me "ys&e% 1es&ore, see &*e Mi'roso,& Anow+ed)e 3ase ar&i'+e: 6n&i#irus Too+s <anno& <+ean .n,e'&ed Fi+es in &*e B1es&ore Fo+der 96r&i'+e .8: C263455:-

$. To %pdate t&e vir%s definitions

"y%an&e' "e'uri&y 1es(onse ,u++y &es&s a++ &*e #irus de,ini&ions ,or =ua+i&y assuran'e be,ore &*ey are (os&ed &o our ser#ers- T*ere are &wo ways &o ob&ain &*e %os& re'en& #irus de,ini&ions:

1unnin) Di#e@(da&e, w*i'* is &*e easies& way &o ob&ain #irus de,ini&ions: T*ese #irus de,ini&ions are (os&ed &o &*e Di#e@(da&e ser#ers on'e ea'* wee5 9usua++y on Wednesdays:, un+ess &*ere is a %ajor #irus ou&brea5- To de&er%ine w*e&*er de,ini&ions ,or &*is &*rea& are a#ai+ab+e by Di#e@(da&e, re,er &o 0irus 8e,ini&ions 9Di#e@(da&e:-

8own+oadin) &*e de,ini&ions usin) &*e .n&e++i)en& @(da&er: T*e .n&e++i)en& @(da&er #irus de,ini&ions are (os&ed dai+y- Eou s*ou+d down+oad &*e de,ini&ions ,ro% &*e "y%an&e' "e'uri&y 1es(onse Web si&e and %anua++y ins&a++ &*e%- To de&er%ine w*e&*er de,ini&ions ,or &*is &*rea& are a#ai+ab+e by &*e .n&e++i)en& @(da&er, re,er &o 0irus 8e,ini&ions 9.n&e++i)en& @(da&er:-

T*e +a&es& .n&e++i)en& @(da&er #irus de,ini&ions 'an be ob&ained *ere: .n&e++i)en& @(da&er #irus de,ini&ions- For de&ai+ed ins&ru'&ions read &*e do'u%en&: How &o u(da&e #irus de,ini&ion ,i+es usin) &*e .n&e++i)en& @(da&er-

'. To scan for and delete t&e infected files a- "&ar& your "y%an&e' an&i#irus (ro)ra% and %a5e sure &*a& i& is 'on,i)ured &o s'an a++ &*e ,i+es-

For #orton Anti(ir%s cons%mer prod%cts: 1ead &*e do'u%en&: How &o 'on,i)ure !or&on 6n&i0irus &o s'an a++ ,i+esFor Symantec Anti(ir%s )nterprise prod%cts: 1ead &*e do'u%en&: How &o #eri,y &*a& a "y%an&e' <or(ora&e an&i#irus (rodu'& is se& &o s'an a++ ,i+es-

b- 1un a ,u++ sys&e% s'an'- ., any ,i+es are de&e'&ed, &a5e no&e o, &*e ,i+e na%es, and '+i'5 *elete-

., &*e in,e'&ed ,i+es are de&e'&ed in &*e FTe%(orary .n&erne& Fi+esF<on&en&-.;5, due &o &*e desi)n o, &*e o(era&in) sys&e%, you wi++ no& be ab+e &o de+e&e &*e%- Wri&e down &*e en&ire (a&* and ,i+e na%e and '+ear &*e Te%(orary .n&erne& Fi+es Fo+der a& &*e end o, &*e re%o#a+ ins&ru'&ions-

+mportant: ., you are unab+e &o s&ar& your "y%an&e' an&i#irus (rodu'& or &*e (rodu'& re(or&s &*a& i& 'anno& de+e&e a de&e'&ed ,i+e, you %ay need &o s&o( &*e ris5 ,ro% runnin) in order &o re%o#e i&- To do &*is, run &*e s'an in "a,e %odeFor ins&ru'&ions, read &*e do'u%en&, How &o s&ar& &*e 'o%(u&er in "a,e Mode- Gn'e you *a#e res&ar&ed in "a,e %ode, run &*e s'an a)ain-

6,&er &*e ,i+es are de+e&ed, res&ar& &*e 'o%(u&er in !or%a+ %ode and (ro'eed wi&* &*e ne4& se'&ion-

Warnin) %essa)es %ay be dis(+ayed w*en &*e 'o%(u&er is res&ar&ed, sin'e &*e &*rea& %ay no& be ,u++y re%o#ed a& &*is (oin&- Eou 'an i)nore &*ese %essa)es and '+i'5 GA- T*ese %essa)es wi++ no& a((ear w*en &*e 'o%(u&er is res&ar&ed a,&er &*e re%o#a+ ins&ru'&ions *a#e been ,u++y 'o%(+e&ed- T*e %essa)es dis(+ayed %ay be si%i+ar &o &*e ,o++owin):

Title:

[FILE PATH]

Messa,e body:

Windows cannot find [FILE NAME]. Make sure you typed t e na!e for a fi"e# c"ick t e %tart

correct"y# and t en try a$ain. To searc &utton# and t en c"ick %earc .

-. To delete t&e val%e from t&e re,istry

+mportant: "y%an&e' s&ron)+y re'o%%ends &*a& you ba'5 u( &*e re)is&ry be,ore %a5in) any '*an)es &o i&- .n'orre'& '*an)es &o &*e re)is&ry 'an resu+& in (er%anen& da&a +oss or 'orru(&ed ,i+es- Modi,y &*e s(e'i,ied sub5eys on+y- For ins&ru'&ions re,er &o &*e do'u%en&: How &o %a5e a ba'5u( o, &*e Windows re)is&rya- <+i'5 Start . R%n-

b. Ty(e regedit c. <+i'5 /0#ote: ., &*e re)is&ry edi&or ,ai+s &o o(en &*e &*rea& %ay *a#e %odi,ied &*e re)is&ry &o (re#en& a''ess &o &*e re)is&ry edi&or- "e'uri&y 1es(onse *as de#e+o(ed a &oo+ &o reso+#e &*is (rob+e%- 8own+oad and run &*is &oo+, and &*en 'on&inue wi&* &*e re%o#a+-

d.

!a#i)a&e &o &*e sub5eys:

H'E()*+,,ENT)+%E,-%oftware-Microsoft-Windows-*urrent.ersion-,un H'E()*+,,ENT)+%E,-%oftware-Microsoft-Windows-*urrent.ersion-,un/ nce H'E()*+,,ENT)+%E,-%oftware-Microsoft-Windows-*urrent.ersion-,un% er0ices H'E()*+,,ENT)+%E,-%oftware-Microsoft-Windows-*urrent.ersion-,un% er0ices/nce H'E()*+,,ENT)+%E,-%oftware-Microsoft-Windows-*urrent.ersion-Po"i cies-E1p"orer-,un H'E()L/*AL)MA*HINE-%/FTWA,E-Microsoft-Windows-*urrent.ersion-,un H'E()L/*AL)MA*HINE-%/FTWA,E-Microsoft-Windows-*urrent.ersion-,un /nce H'E()L/*AL)MA*HINE-%/FTWA,E-Microsoft-Windows-*urrent.ersion-,un %er0ices H'E()L/*AL)MA*HINE-%/FTWA,E-Microsoft-Windows-*urren.ersion-,un% er0ices/nce H'E()L/*AL)MA*HINE-%/FTWA,E-Microsoft-Windows-*urrent.ersion-,un /nceE1 H'E()L/*AL)MA*HINE-%/FTWA,E-Microsoft-Windows-*urrent.ersion-Po" icies-E1p"orer-,un
e- .n &*e ri)*& (ane, de+e&e any #a+ue &*a& re,ers &o a ,i+e &*a& was de&e'&ed durin) &*e s'an,- ;4i& &*e 1e)is&ry ;di&or-

1. To edit t&e Win.ini file WARNING: T*e ,o++owin) s&e(s ins&ru'& you &o re%o#e &*e &e4& ,ro% &*e

run2

+ine o, &*e Win-ini ,i+e- ., you are usin)

o+der (ro)ra%s, &*ey %ay +oad a& s&ar&u( ,ro% one o, &*ese +ines- ., you are sure &*a& &*e &e4& 'on&ained in &*ese +ines is ,or &*e (ro)ra%s &*a& you nor%a++y use, &*en we su))es& &*a& you do no& re%o#e i&-

., you are runnin) Windows 95?9 ?Me, ,o++ow &*ese s&e(s: a- <+i'5 Start . R%n-

b.

Ty(e &*e ,o++owin):

edit c:\windows\win.ini
and &*en '+i'5 /0-

9T*e M"78G" ;di&or o(ens-:

#/T): ., Windows is ins&a++ed in a di,,eren& +o'a&ion, %a5e &*e a((ro(ria&e (a&* subs&i&u&ion-

c. .n &*e [windows] se'&ion o, &*e ,i+e, +oo5 ,or a +ine si%i+ar &o:
run2[T,/3AN FILE NAME]
#ote: HT1GI6! F.D; !6M;J re,ers &o &*e ,i+e na%e de&e'&ed durin) &*e s'an-

d.

., &*is +ine e4is&s, de+e&e e#ery&*in) &o &*e ri)*& o,

run2

e- <+i'5 2ile . Save,- <+i'5 2ile . )3it-

4. To edit t&e System.ini file ., you are runnin) Windows 95?9 ?Me, ,o++ow &*ese s&e(s: a- <+i'5 Start . R%n-

b.

Ty(e &*e ,o++owin):

edit c:\windows\system.ini
and &*en '+i'5 /0-

9T*e M"78G" ;di&or o(ens-:

#/T): ., Windows is ins&a++ed in a di,,eren& +o'a&ion, %a5e &*e a((ro(ria&e (a&* subs&i&u&ion-

c. .n &*e [&oot] se'&ion o, &*e ,i+e, +oo5 ,or a +ine si%i+ar &o:

s e"" 2 E1p"orer.e1e [T,/3AN FILE NAME]

#ote: HT1GI6! F.D; !6M;J re,ers &o &*e ,i+e na%e de&e'&ed durin) &*e s'an-

d.

., &*is +ine e4is&s, de+e&e e#ery&*in) &o &*e ri)*& o,

E1p"orer.e1e.

W*en you are done, i& s*ou+d +oo5 +i5e:

s e"" 2 E1p"orer.e1e
e- <+i'5 2ile . Save,- <+i'5 2ile . )3it-

5. To clear t&e Temporary +nternet 2iles folder6 if re7%ired

a. Do) on &o &*e 'o%(u&er usin) &*e na%e &*a& was s*own in &*e (a&* &*a& you wro&e down in &*e s'an and de+e&e
in,e'&ed ,i+es se'&ion-

For e4a%(+e, i, &*e (a&* was:

*4-5ocu!ents and %ettin$-Linda-Loca" %ettin$s-Te!porary Internet Fi"es-6rw!6c7d.d""

+o) on &o &*e 'o%(u&er as Dinda-

b- "&ar& +nternet )3plorer'- <+i'5 Tools . +nternet /ptionsd- .n &*e Te%(orary .n&erne& Fi+es se'&ion, '+i'5 &*e *elete 2iles bu&&one- <*e'5 *elete all offline content, and &*en '+i'5 /0-