Overview
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
|
Minimum DAT
4382 (2004-07-28) Updated DAT4799 (2006-07-04) |
Minimum Engine
5.1.00 File LengthVaries |
Description Added
2004-07-28 Description Modified2004-07-28 |
Malware Proliferation
Characteristics
There are numerous versions of this trojan. This description is meant as a guide.
The purpose of this trojan is to hide, or stealth, files and registry keys. It is often used in conjunction with other malware.
This trojan has recently been packaged with many different W32/Sdbot.worm variants.
In this scenario, the Sdbot.worm virus is often installing the trojan in the WINDOWS SYSTEM directory as msdirectx.sys (such as c:\WINDOWS\system32\msdirectx.sys).
This file is installed as a service:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\msdirectx
Symptoms
A possible indicator is the presence of the file msdirectx.sys in the WINDOWS SYSTEM directory when browsing the SYSTEM directory remotely.
Method of Infection
This trojan is distributed with other malware.
Removal
All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.
Variants