This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
This trojan makes extensive registry changes so that the trojan file will run rather than the default application for viewing the affected file-types.
The old Default data for the registry entries below are saved by the trojan in a new value named "SysBack".
The new Default data is changed to point to the trojan:
Another registry entry is created to run the trojan at startup:
The trojan also copies itself to the following locations:
The version information in the files' properties is used to make it appear to be a valid applicaton:
Company Name: xcan
Internal Name: system
Product Name: Explorer
The trojan infects a system upon execution by copying itself to the System directory and hooking the Registry to run at system startup.
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
But in some particular cases, the following steps need to be taken.
Please go to the Microsoft Recovery Console and restore a clean MBR.
On Windows XP:
On Windows Vista and 7: