Troj/PWS-KI

Please follow the instructions for removing Trojans.

Troj/PWS-KI is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.

Troj/PWS-KI includes functionality to access the internet and communicate with a remote server via HTTP. The Trojan may send an email to inform a remote user when a computer has been compromised, and may also inform the remote user of the password used to connect to the internet.

Troj/PWS-KI modifies internet security settings. Troj/PWS-KI is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.

Troj/PWS-KI includes functionality to access the internet and communicate with a remote server via HTTP. The Trojan may send an email to inform a remote user when a computer has been compromised, and may also inform the remote user of the password used to connect to the internet.

When first run Troj/PWS-KI copies itself to the Windows folder and to
<Startup>\Server.exe.

Troj/PWS-KI also creates the following files:

\sendhmtl.htm
<CurrentFolder>\regadd706.Reg

The file sendhmtl.htm can be deleted.

The file regadd706.Reg may cause the follwing registry entry to be set, so that the Trojan automatically runs on system startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft
<name of copy of Trojan in the Windows folder>

Note that the second copy of the Trojan, in the <Startup> folder, will also be started automatically.

The following registry entry is also set, affecting internet security:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1601
0