Troj/Lineage-I

Please follow the instructions for removing Trojans.

Change any data that may have become compromised.

Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the Trojan has made.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
BossIdea
%WINDOWS%/java/winlogin.exe

and delete it if it exists.

Close the registry editor.

Troj/Lineage-I is a password stealing Trojan for the Windows platform that attempts to steal passwords associated with the game called "Lineage".

Troj/Lineage-I creates a folder named java under the Windows folder and copies itself as winlogin.exe within it.

Troj/Lineage-I searches for the "Lineage","Lineage Windows Client" window in attempt to initiate a keylogging routine.

In order to be able to run automatically when Windows starts up Troj/Lineage-I sets the registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
BossIdea
%WINDOWS%/java/winlogin.exe

Troj/Lineage-I may also attempt to delete all files with the following extensions from the %WINDOWS%/Media folder:

wav
rmi
mid

Troj/Lineage-I will attempt to disable a number of anti-virus and security related processes and windows, including:

EGHOST.EXE
MAILMON.EXE
KKAVSVC.EXE
KAVPFW.EXE
KAV.EXE
IPARMOR.EXE
RavMon.exe
ZoneAlarm

Troj/Lineage-I may also attempt to download and execute files from the internet.

The Trojan also modifies the HOSTS file (located in '<System>\drivers\etc\') in order to deny access to certain computer security websites. It adds entries for the following websites, redirecting them to 127.0.0.1:

127.0.0.1 avp.com
127.0.0.1 ca.com
127.0.0.1 customer.symantec.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.kasperksy-labs.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 rads.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 sophos.com
127.0.0.1 symantec.com
127.0.0.1 trendmicro.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 viruslist.com
127.0.0.1 www.avp.com
127.0.0.1 www.ca.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.symantec.com
127.0.0.1 www.viruslist.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 downloads-eu1.kaspersky-labs.com
127.0.0.1 downloads-us1.kaspersky-labs.com
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads3.kaspersky-labs.com
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 windowsupdate.microsoft.com
127.0.0.1 downloads5.kaspersky-labs.com
127.0.0.1 ftp.avp.ru
127.0.0.1 updates3.kaspersky-labs.com
127.0.0.1 updates2.kaspersky-labs.com
127.0.0.1 updates1.kaspersky-labs.com
127.0.0.1 ftp.kaspersky.com
127.0.0.1 downloads-us22.kaspersky-labs.com
127.0.0.1 downloads-us1.kaspersky-labs.com
127.0.0.1 downloads-us2l.kaspersky-labs.com
127.0.0.1 downloads-eu2l.kaspersky-labs.com
127.0.0.1 v4.windowsupdate.microsoft.com
127.0.0.1 v5.windowsupdate.microsoft.com
127.0.0.1 windowsupdate.microsoft.com
127.0.0.1 221.215.84.2
127.0.0.1 210.51.23.7
127.0.0.1 www.szadk.com
127.0.0.1 asp3.6to23.com
127.0.0.1 www.akoak.com
127.0.0.1 www.ky173.com
127.0.0.1 www.999sj.com