Overview
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
|
Minimum DAT
4330 (2004-02-29) Updated DAT4322 (2004-02-04) |
Minimum Engine
5.1.00 File Length2,560 Bytes |
Description Added
2004-03-25 Description Modified2004-03-25 |
Malware Proliferation
Characteristics
When the trojan is executed, it will modify the registry key:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "Winhost" C:\[Windows directory]\winh.exe
It will download the file 2.exe from the domain www.cyberrape.com . The following files will be created:
- c:\000.exe
- c:\[Windows directory]\sysh.hta
- c:\[Windows directory]\system.html
- c:\[Windows directory]\winh.exe
These files are detected as Lolaweb .
Symptoms
Method of Infection
The trojan installs itself upon the victim machine upon execution.
Removal
All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.
Variants