high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Included in our products from | March 2005 (3.91) |
| Protection available since | 26 January 2005 08:49:29 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the Trojan has made.
More Information
Troj/Harnig-AM is a downloader Trojan which tries to silently download executable files from a remote location and execute them.
Troj/Harnig-AM runs as a service process (not as a service) downloading files from remote servers to the following locations on the local computer:
%SYSTEM%\dktibs.exe
%SYSTEM%\systime.exe
%WINDOWS%\toolbar.exe
%WINDOWS%\test
At the time of writing, the version of dktipbs.exe that Troj/Harnig-AM tries to download is detected as Troj/Dloader-CX. Versions of the other files mentioned above currently stored on the remote server are either corrupt or have a filesize of zero.
Troj/Harnig-AM creates a new version of the HOSTS file located at %WINDOWS%\HOSTS or %SYSTEM%\Drivers\etc\HOSTS, mapping selected websites to the loopback address 127.0.0.3 in order to prevent access to these sites. The new HOSTS file created by Troj/Harnig-AM will typically contain the following:
127.0.0.3 n-glx.s-redirect.com
127.0.0.3 x.full-tgp.net
127.0.0.3 counter.sexmaniack.com
127.0.0.3 autoescrowpay.com
127.0.0.3 www.autoescrowpay.com
127.0.0.3 www.awmdabest.com
127.0.0.3 www.sexfiles.nu
127.0.0.3 awmdabest.com
127.0.0.3 sexfiles.nu
127.0.0.3 allforadult.com
127.0.0.3 www.allforadult.com
127.0.0.3 www.iframe.biz
127.0.0.3 iframe.biz
127.0.0.3 www.newiframe.biz
127.0.0.3 newiframe.biz
127.0.0.3 www.vesbiz.biz
127.0.0.3 vesbiz.biz
127.0.0.3 www.pizdato.biz
127.0.0.3 pizdato.biz
127.0.0.3 www.aaasexypics.com
127.0.0.3 aaasexypics.com
127.0.0.3 www.virgin-tgp.net
127.0.0.3 virgin-tgp.net
Troj/Harnig-AM attempts to terminate all active processes whose executable filenames match:
actalert.exe
alchem.exe
bargains.exe
bdl74125.exe
bitmap.tmp
exdl.exe
exploit.exe
file.exe
fnnmqi.exe
fucker.exe
host32.exe
iinstall.exe
Installer2.exe
intron.exe
intronet.exe
ir.exe
istsvc.exe
loadclean.exe
lpt.exe
msxmidi.exe
optimize.exe
PEPEmsPE.exe
powerscan.exe
printer.exe
printer32.exe
services.exe
sidefind.exe
s-PEPE.exe
telnet.exe
teur.exe
ttgkirnl.exe
twink64.exe
usb.exe
Winad.exe
WinClt.exe
winmm64.exe
ykyrtws.exe
Troj/Harnig-AM may arrive on the computer by browsing web pages infected with Troj/Codebase-C. Troj/Codebase-C may arrive on the computer by browsing web pages infected with Troj/Rider-K. For further information please refer to the Troj/Codebase-C and Troj/Rider-K descriptions.
|
