Overview
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
|
Minimum DAT
4362 (2004-05-19) Updated DAT4631 (2005-11-17) |
Minimum Engine
5.1.00 File Length18,944 bytes |
Description Added
2004-05-19 Description Modified2004-05-28 |
Malware Proliferation
Characteristics
This trojan exists as a dynamic link library file named msvsres.dll The true installation method for this trojan is not known at this time. This DLL installs itself to the following registry key, to automatically load at system startup:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs = %path%\msvsres.dll
The trojan attempts to contact the following domains:
- hjvadsalhdwfg.biz
- htbvkgckgcvbj.biz
- hsvvsjcjasvcer.biz
Symptoms
Unexpected connections to:
- hjvadsalhdwfg.biz
- htbvkgckgcvbj.biz
- hsvvsjcjasvcer.biz
Method of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc. Trojans may also be received as a result of poor security practices (weak username/password combination on open shares, lack of/or misconfigured firewall protection), or unpatched and vulnerable systems.
Removal
All Users
Use current engine and DAT files
for detection.
Manual Removal Process
- Edit the registry
- Delete the "msvsres.dll" value from
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
- Reboot the system
- Delete the file msvsres.dll (typically found in the %WinDir%\system32 directory
Variants