Troj/Borobot-J

Please follow the instructions for removing Trojans.

Troj/Borobot-J is a Trojan for the Windows platform.

Troj/Borobot-J copies itself with the filename SMSS.EXE to either the Windows system folder or to the folder Application Data\Microsoft\Internet Explorer. Troj/Borobot-J then sets the following entries in the registry in order to run the copy of itself on system
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
smss

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
smss

Troj/Borobot-J may attempt to download and execute a file from http://upseek.org. At the time of writing this file is unavailable for download.

Troj/Borobot-J attempts to delete the file AUTORUN.INF.

Troj/Borobot-J may set the following registry entry so as to allow itself to bypass the Microsoft Windows firewall:

HKLM\SYSTEM\CurrentContolSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List\
<current filename>

Troj/Borobot-J may attempt to delete or disable services with the following service names related to anti-virus and security software:

kavsvc
navapsvc
SAVScan
SharedAccess
Symantec Core LC
wscsvc
wuauserv

Troj/Borobot-J may attempt to delete the following registry entry to prevent the program from running on system startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
KavPersonal50

Troj/Borobot-J connects to an IRC server and acts as a backdoor Trojan, allowing access to the infected computer by a remote user.

Troj/Borobot-J may download files from remote locations to the Windows system folder and execute them if instructed to do so by a remote user.

Troj/Borobot-J acts as a proxy server, routing information from a remote user to their chosen destination.

Troj/Borobot-J allows a remote user to send emails from the infected computer using its own email engine.

Troj/Borobot-J has been seen donwnloaded by Troj/Borodldr-D.