high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 21 November 2004 17:00:03 (GMT) |
| Detected by | All Sophos products |
Sophos beta program
- Endpoint Security and Control 9.0
- Small business solutions 4.0
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the worm has made.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
vwin
and delete it if it exists.
Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:
HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\vwin
and delete it if it exists.
Close the registry editor.
More Information
Troj/Divdav-A is a series of batch script Trojans created by the toolkit Troj/Divdavkt-A.
Troj/Divdav-A Trojans copy themselves to VWIN.BAT in the Windows folder.
Troj/Divdav-A Trojans may attempt to copy themselves to the Startup folder with the filename WIN.BAT.
Troj/Divdav-A Trojans may attempt to create the following entries in the registry so as to run themselves when a user logs on to Windows:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
vwin
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
vwin
Troj/Divdav-A Trojans may attempt to force the infected computer to shutdown at a user-defined time with a user-defined message.
Troj/Divdav-A Trojans may attempt to terminate the processes LSASS.EXE and EXPLORER.EXE.
Troj/Divdav-A Trojans may attempt to add network shares to the infected computer.
Troj/Divdav-A Trojans may attempt to delete all files with a TXT extension in the Cookies folder.
Troj/Divdav-A Trojans may attempt to add the following lines to the HOSTS file in the DRIVERS\ETC subfolder of the Windows folder in order to prevent access to the websites listed by linking them with the loopback address:
127.0.0.1 www.google.de
127.0.0.1 www.google.com
127.0.0.1 www.symantec.de
127.0.0.1 www.antivir.de
127.0.0.1 www.f-secure.com
127.0.0.1 www.f-secure.de
127.0.0.1 www.kaspersky.com
127.0.0.1 www.kaspersky.de
127.0.0.1 www.nai.com
127.0.0.1 windowsupdate.microsoft.com
127.0.0.1 www.symantec.com
127.0.0.1 www.microsoft.de
127.0.0.1 www.microsoft.com
127.0.0.1 www.free-av.com
127.0.0.1 www.sophos.com
127.0.0.1 www.sophos.de
Troj/Divdav-A Trojans may attempt to copy themselves to files in the current folder, to C:\, to the Startup folder and to the Start Menu, with a filename consisting of a random number and a BAT extension.
Troj/Divdav-A Trojans may attempt to copy themselves to the following files in the SYSTEM32 subfolder of the Windows folder:
TASKMGR.EXE
WINLOGON.EXE
SVCHOST.EXE
CALC.EXE
Troj/Divdav-A Trojans may attempt to rename all files with a DLL extension in the SYSTEM32 subfolder of the Windows folder, giving them all the extension "-fUcKeD". Troj/Divdav-A Trojans may also attempt to rename all files with a INI extension in the SYSTEM32 subfolder of the Windows folder, giving them all the extension "FuCkEd-".
Troj/Divdav-A Trojans may display a message box with user-defined text and a title of "ViRuS!!!" by creating and running a file MSG.VBS.
|
