Troj/Singu-T

Please follow the instructions for removing Trojans.

Troj/Singu-T is a password stealing backdoor Trojan which attempts to steal confidential information and send it to a remote location.

When first run the Trojan moves itself to a read-only, hidden, system file "<Windows>\i love you.exe" and creates:

• a hidden system file <Windows>\bubbes.bmp. This file may be deleted.
• a read-only, hidden, system file <System>\_UsbDriver_.dll. This file is detected by Sophos as Troj/Singu-O.

Troj/Singu-T also displays a fake message box with the title "Black Hole 2004.Build20040915" and the message "Install Complete!"

The following registry entry is created to run Troj/Singu-T on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
test
"\i love you.exe"

The following line may also be added to the [windows] section of Win.ini to run the Trojan on startup:

run = "\i love you.exe"

Troj/Singu-T will connect to a remote site and then listen for backdoor commands from a remote user. The backdoor can be used to:

• copy, delete, run, upload and download files on the infected computer
• log keyboard presses
• capture images from an attached webcam
• listen in using the microphone
• list and kill processes running on the computer
• steal email account information including usernames and passwords

Troj/Singu-T will enable Auto-dial and Auto-disconnect on any dial-up accounts by changing the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
EnableAutodisconnect

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableAutodial

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableAutodisconnect

HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\
Microsoft\windows\CurrentVersion\Internet Settings
EnableAutodial

HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\
Microsoft\windows\CurrentVersion\Internet Settings
EnableAutodisconnect