Troj/Hale-A

Please follow the instructions for removing Trojans.

You should manually delete any non-Trojan dropped files you do not want.

Troj/Hale-A is a set of programs that are used to provide unauthorized access to the user's system. Most of the programs in this package are legitimate utilities and are not detected by this identity.

Troj/Hale-A is typically uploaded to computers as a self-extracting archive. This self-extracting dropper drops the following files into the C:\winnt\system32\qossrv\ folder:

• v1.0D (Haley) - empty file
• aysshell.exe - legitimate utility
• cdir.txt - text file
• csrss.exe - Troj/PAdmin-B
• FireDaemon.exe - legitimate utility
• libeay32.dll - legitimate dll
• mswinsck.ocx - legitimate dll
• pskill.exe - legitimate utility
• Secure.exe - Troj/Hale-A
• ServUPerfCount.dll - legitimate dll
• setup.bat - Troj/Hale-A
• setup.PIF - PIF file to run setup.bat
• ssleay32.dll - legitimate dll
• wget.exe - legitimate utility
• WinExplorer.dll - text configuration file
• winmgnt.exe - legitimate utility

The dropper then runs setup.bat to create 3 services. It runs "C:\winnt\system32\qossrv\winmgnt.exe" as service "NTF", "C:\winnt\system32\qossrv\secure.exe" as service "NTS" and "C:\winnt\system32\qossrv\csrss.exe" as service "NTP".

Winmgnt.exe is an FTP server. Secure.exe attempts to delete shares on the user's computer and stop the following services: server, messenger,tlntsvr and remote registry service.

csrss.exe is Troj/PAdmin-B. Other variants of Troj/Hale-A are known to use other files, such as:

• csrsslsrms.dll - text file
• explorer.exe - utility
• fport.exe - utility
• igfxtray.exe - Troj/Netstop-A
• nc.exe - utility
• ntlmconf.dll - text file
• pslist.exe - utility
• rar.exe - utility
• reg.exe - utility
• rmns.exe - utility
• service.exe - utility
• SystemUptimeLog.ocx - text file
• tlister.exe - utility
• winexplorer.dll - text configuration file
• tar.exe - utility and GIF files

These variants also tend to use folders other than qossrv.