Troj/Stinx-Q

Please follow the instructions for removing Trojans.

Please read the instructions for removing Troj/Stinx-Q.

Troj/Stinx-Q is an IRC backdoor Trojan for the Windows platform.

The Trojan may arrive as an email attachment with the filename "Photo+Article.zip".

When first run Troj/Stinx-Q copies itself to \csrnvrt.exe and creates two randomly named BAT files in the Temp folder. One of these files is used to attempt to bypass the Windows firewall. The other is used to delete the original copy of the Trojan. Troj/Stinx-Q is an IRC backdoor Trojan for the Windows platform.

The Trojan may arrive as an email attachment with the filename "Photo+Article.zip". Typically the email has characteristics similar to the following:

Subject line:
Photo and Article

Message text:

Hello,

Your photograph has reached editing stage as part of an article we are publishing for our February edition of Traders World Monthly. Can you check over the format and get back to us with your approval or any changes?
If the picture is not to your liking then please send a preferred one. We've attached the photo with the article here.

Troj/Stinx-Q connects to an IRC channel and listens for backdoor commands from a remote user. Backdoor functionality includes the ability to run arbitrary commands.

The Trojan may also download further malicious code.

Troj/Stinx-Q attempts to terminate a number of processes, including some belonging to anti-virus applications.

When first run Troj/Stinx-Q copies itself to <System>\csrnvrt.exe and creates two randomly named BAT files in the Temp folder. One of these files is used to attempt to bypass the Windows firewall. The other is used to delete the original copy of the Trojan.

The following registry entries are created to run csrnvrt.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
DriverModule
csrnvrt.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
DriverModule
csrnvrt.exe