Overview
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
|
Minimum DAT
4237 (2002-12-11) Updated DAT4707 (2006-02-28) |
Minimum Engine
5.1.00 File Length423,424 bytes |
Description Added
2002-12-05 Description Modified2002-12-05 |
Malware Proliferation
Characteristics
When running this trojan repeatedly attempts to connect to a remote web site.
When executed on the victim machine, the following fake message box is displayed:
![[File not Found]](http://vil.nai.com/images/99849a.gif)
And a minimised window title bar can be seen:
![[sndvol title bar]](http://vil.nai.com/images/99849b.gif)
The trojan copies itself into the Windows directory as SNDVOL.EXE. Subsequently, it hooks system startup by adding the following Registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"Cron" = "C:\WINDOWS\sndvol.exe"
This Registry hook is removed when cleaning with the indicated engine/DATs.
Additionally, the following Registry key is created, indicating the trojan's (installed) presence:
HKEY_CURRENT_USER\Software\Rabbit"Exec" = "1"
Manual removal of this Registry key is required.
Symptoms
Method of Infection
The trojan installs itself on the victim machine upon execution, hooking the Registry and copying itself into the Windows directory as SNDVOL.EXE (423,424 bytes).
Removal
-
Variants