Troj/Multidr-FT

Please follow the instructions for removing Trojans.

Troj/Multidr-FT is a Trojan for the Windows platform.

Troj/Multidr-FT runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

Troj/Multidr-FT includes functionality to access the internet and communicate with a remote server via HTTP.

When Troj/Multidr-FT is installed the following files are created:

<System>\demo.xt - text file of passwords and can be deleted.
<System>\dorod.exe - Detected as HideWindows Potentially Unwanted Application
<System>\hi - text file that can be deleted.
<System>\lssas.exe - detected as Troj/Multidr-FT
<System>\niamx - detected as Troj/Multidr-FT
<System>\o1o2o3o4 - detected as Troj/Multidr-FT
<System>\remote.ini - detected as Troj/Multidr-FT
<System>\t1m3r - detected as Troj/Multidr-FT
<System>\uninstall.uni - text file that may be deleted.
<Windows>\uninstyler.exe - This file is not malicious and may be deleted

The Trojan also creates the following folders:

<System>\logs
<System>\sounds

The following registry entry is created to run lssas.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Tamer
<System>\LSSAS.exe

Registry entries are created under:

HKCU\Software\Microsoft\Microsoft Agent
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Application
HKCU\Software\mIRC\DateUsed
HKLM\SOFTWARE\Instyler\uninstyler
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC

Troj/Multidr-FT provides an uninstall option which can be accessed via the Add or Remove Programs dialog in the Windows Control Panel. The software is listed as "My Application" and "mIRC". However, these uninstallers do not remove the Trojan.