Overview
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
|
Minimum DAT
5415 (2008-10-24) Updated DAT5434 (2008-11-14) |
Minimum Engine
5.2.00 File Length28,672 bytes |
Description Added
2008-10-24 Description Modified2008-10-30 |
Malware Proliferation
Characteristics
The trojan will modify the following registry entry to allow itself to be started during bootup:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\Windows
A randomly named file, bas[random]32.dll is created in %SYSTEM% to which the registry entry refers to.
On bootup, it connects to the following domain which it could get further instructions or download of other malware:
- traffkeeper.com
(where %SYSTEM% is the Windows system folder e.g. C:\Windows\system32)
Symptoms
- Presence of unexpeected network connection as previously mentioned.
Method of Infection
Removal
Variants