This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted, or may use other tools to assist in spreading. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
--Update on July 31,2009--
The new variant is found downloading components that steal credential information, including components that monitor online bank to steal bank account. It also downloads password recovery program to retrieve passwords from a number of applications.
--Update on June 07,2009--
The new variant drops the following file:
%USER_PROFILE%\Application Data\xx.exe (file name is random)
The following registry key is added to hook system startup:
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run\xx: "%USER_PROFILE%\xx.exe" (registery key name is random.)
(where %USER_PROFILE% is the default user profile folder, for example C:\Documents and Settings\Administrator if the current user is Administrator.)
Additional Key Values are added:
It creates a hidden iexplore.exe process and injects malicious code into it.
It attempts to connect the following server:
At the time of testing, the GateList key value, contained the following IP:
Ilomo launches a hidden instance if iexplorer.exe then injects the process with malicious code that downloads and execute additional components from the web. The specific function of the downloaded components may vary depending upon when the infection occured and when components were downloaded. Information from the field suggests that this trojan may use Psexec to propogate itself.
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
But in some particular cases, the following steps need to be taken.
Please go to the Microsoft Recovery Console and restore a clean MBR.
On Windows XP:
On Windows Vista and 7: