Troj/Divdav-A

Category: Viruses and Spyware
Type: Trojan
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Divdav-A is a series of batch script Trojans created by the toolkit Troj/Divdavkt-A.

Troj/Divdav-A Trojans copy themselves to VWIN.BAT in the Windows folder.

Troj/Divdav-A Trojans may attempt to copy themselves to the Startup folder with the filename WIN.BAT.

Troj/Divdav-A Trojans may attempt to create the following entries in the registry so as to run themselves when a user logs on to Windows:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
vwin

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
vwin

Troj/Divdav-A Trojans may attempt to force the infected computer to shutdown at a user-defined time with a user-defined message.

Troj/Divdav-A Trojans may attempt to terminate the processes LSASS.EXE and EXPLORER.EXE.

Troj/Divdav-A Trojans may attempt to add network shares to the infected computer.

Troj/Divdav-A Trojans may attempt to delete all files with a TXT extension in the Cookies folder.

Troj/Divdav-A Trojans may attempt to add the following lines to the HOSTS file in the DRIVERS\ETC subfolder of the Windows folder in order to prevent access to the websites listed by linking them with the loopback address:

127.0.0.1 www.google.de
127.0.0.1 www.google.com
127.0.0.1 www.symantec.de
127.0.0.1 www.antivir.de
127.0.0.1 www.f-secure.com
127.0.0.1 www.f-secure.de
127.0.0.1 www.kaspersky.com
127.0.0.1 www.kaspersky.de
127.0.0.1 www.nai.com
127.0.0.1 windowsupdate.microsoft.com
127.0.0.1 www.symantec.com
127.0.0.1 www.microsoft.de
127.0.0.1 www.microsoft.com
127.0.0.1 www.free-av.com
127.0.0.1 www.sophos.com
127.0.0.1 www.sophos.de

Troj/Divdav-A Trojans may attempt to copy themselves to files in the current folder, to C:\, to the Startup folder and to the Start Menu, with a filename consisting of a random number and a BAT extension.

Troj/Divdav-A Trojans may attempt to copy themselves to the following files in the SYSTEM32 subfolder of the Windows folder:

TASKMGR.EXE
WINLOGON.EXE
SVCHOST.EXE
CALC.EXE

Troj/Divdav-A Trojans may attempt to rename all files with a DLL extension in the SYSTEM32 subfolder of the Windows folder, giving them all the extension "-fUcKeD". Troj/Divdav-A Trojans may also attempt to rename all files with a INI extension in the SYSTEM32 subfolder of the Windows folder, giving them all the extension "FuCkEd-".

Troj/Divdav-A Trojans may display a message box with user-defined text and a title of "ViRuS!!!" by creating and running a file MSG.VBS.

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy