Troj/Digarix-B

Please follow the instructions for removing Trojans.

Delete any unwanted dropped files.

You will also need to edit the following registry entry, if it is present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\MsnMsgr

and delete it if it exists.

Close the registry editor.

Troj/Digarix-B is a multi-partite IRC backdoor Trojan.

The Trojan arives as a self extracting archive file cab32.exe that drops the following files:

\echo.txt
\windows\Rar.exe
\windows\backs.exe
\windows\cabscan.dll
\windows\dd4a.exe
\windows\dx32a.exe
\windows\inst.exe
\windows\mirc.hlp
\windows\msnmsgr.exe
\windows\pv.exe
\windows\repair\cabscan\fix\cabscan.dll
\windows\sleep.com
\windows\system32\cab\Rar.exe
\windows\system32\cab\TzoLibr.dll
\windows\system32\cab\X-ScanCfg.ini
\windows\system32\cab\aliases.ini
\windows\system32\cab\asia.txt
\windows\system32\cab\back.exe
\windows\system32\cab\back32.exe
\windows\system32\cab\backer32.exe
\windows\system32\cab\cab.exe
\windows\system32\cab\cab.ini
\windows\system32\cab\cabs.ini
\windows\system32\cab\cabscan.bat
\windows\system32\cab\cabscan.dll
\windows\system32\cab\cabscan.exe
\windows\system32\cab\copy\Rar.exe
\windows\system32\cab\copy\TzoLibr.dll
\windows\system32\cab\copy\X-ScanCfg.ini
\windows\system32\cab\copy\aliases.ini
\windows\system32\cab\copy\asia.txt
\windows\system32\cab\copy\back.exe
\windows\system32\cab\copy\back32.exe
\windows\system32\cab\copy\backer32.exe
\windows\system32\cab\copy\cab.exe
\windows\system32\cab\copy\cab.ini
\windows\system32\cab\copy\cabs.ini
\windows\system32\cab\copy\cabscan.bat
\windows\system32\cab\copy\cabscan.dll
\windows\system32\cab\copy\cabscan.exe
\windows\system32\cab\copy\copydown.bat
\windows\system32\cab\copy\cygwin1.dll
\windows\system32\cab\copy\dd4.exe
\windows\system32\cab\copy\default.reg
\windows\system32\cab\copy\deldown.bat
\windows\system32\cab\copy\delroot.bat
\windows\system32\cab\copy\delrun32.bat
\windows\system32\cab\copy\delscans.bat
\windows\system32\cab\copy\edu.txt
\windows\system32\cab\copy\fast.txt
\windows\system32\cab\copy\fdisk.exe
\windows\system32\cab\copy\ftp.exe
\windows\system32\cab\copy\full.txt
\windows\system32\cab\copy\get.bat
\windows\system32\cab\copy\ip.txt
\windows\system32\cab\copy\local.reg
\windows\system32\cab\copy\mass.txt
\windows\system32\cab\copy\mirc.ini
\windows\system32\cab\copy\new.txt
\windows\system32\cab\copy\nobios.bat
\windows\system32\cab\copy\ntcnd.exe
\windows\system32\cab\copy\oncrpc.dll
\windows\system32\cab\copy\pack.bat
\windows\system32\cab\copy\perform.ini
\windows\system32\cab\copy\psexec.exe
\windows\system32\cab\copy\pv.exe
\windows\system32\cab\copy\random.txt
\windows\system32\cab\copy\remote.ini
\windows\system32\cab\copy\save.bat
\windows\system32\cab\copy\save521.exe
\windows\system32\cab\copy\send.bat
\windows\system32\cab\copy\servers.ini
\windows\system32\cab\copy\service.exe
\windows\system32\cab\copy\shutdown.bat
\windows\system32\cab\copy\sleep.com
\windows\system32\cab\copy\speed.jpg
\windows\system32\cab\copy\start.bat
\windows\system32\cab\copy\svehost.bat
\windows\system32\cab\copy\svhost.exe
\windows\system32\cab\copy\svshost.exe
\windows\system32\cab\copy\svshost.txt
\windows\system32\cab\copy\tar.exe
\windows\system32\cab\copy\uk.txt
\windows\system32\cab\copy\updater.bat
\windows\system32\cab\copy\us.txt
\windows\system32\cab\copydown.bat
\windows\system32\cab\cygwin1.dll
\windows\system32\cab\dat\config.ini
\windows\system32\cab\dat\easy_user.dic
\windows\system32\cab\dat\language.ini
\windows\system32\cab\dat\nt_pass.dic
\windows\system32\cab\dat\nt_user.dic
\windows\system32\cab\dat\os.finger
\windows\system32\cab\dat\port.ini
\windows\system32\cab\dat\rpc.ini
\windows\system32\cab\dd4.exe
\windows\system32\cab\default.reg
\windows\system32\cab\deldown.bat
\windows\system32\cab\delroot.bat
\windows\system32\cab\delrun32.bat
\windows\system32\cab\delscans.bat
\windows\system32\cab\edu.txt
\windows\system32\cab\fast.txt
\windows\system32\cab\fdisk.exe
\windows\system32\cab\ftp.exe
\windows\system32\cab\full.txt
\windows\system32\cab\get.bat
\windows\system32\cab\ip.txt
\windows\system32\cab\local.reg
\windows\system32\cab\mass.txt
\windows\system32\cab\mirc.ini
\windows\system32\cab\new.txt
\windows\system32\cab\nobios.bat
\windows\system32\cab\ntcnd.exe
\windows\system32\cab\oncrpc.dll
\windows\system32\cab\pack.bat
\windows\system32\cab\perform.ini
\windows\system32\cab\plugin\010-port.xpn
\windows\system32\cab\plugin\020-netbios.xpn
\windows\system32\cab\plugin\030-rpc.xpn
\windows\system32\cab\plugin\090-ntpass.xpn
\windows\system32\cab\psexec.exe
\windows\system32\cab\pv.exe
\windows\system32\cab\random.txt
\windows\system32\cab\remote.ini
\windows\system32\cab\save.bat
\windows\system32\cab\save521.exe
\windows\system32\cab\send.bat
\windows\system32\cab\servers.ini
\windows\system32\cab\service.exe
\windows\system32\cab\shutdown.bat
\windows\system32\cab\sleep.com
\windows\system32\cab\speed.jpg
\windows\system32\cab\start.bat
\windows\system32\cab\svehost.bat
\windows\system32\cab\svhost.exe
\windows\system32\cab\svshost.exe
\windows\system32\cab\svshost.txt
\windows\system32\cab\tar.exe
\windows\system32\cab\uk.txt
\windows\system32\cab\updater.bat
\windows\system32\cab\us.txt

Most of these files are legitimate tools not detected by Sophos Anti-Virus. Among them is a vulnerability scanner that produces log files in the \windows\system32\cab\log subfolder and a copy of the mIRC client that is used as the main backdoor component.

In order to run automatically when Windows starts up the Trojan adds the following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\MsnMsgr.