Troj/Hostol-A

Please follow the instructions for removing Trojans.

Troj/Hostol-A is a multi-component backdoor Trojan which may also be used to hide malicious processes on the computer. Troj/Hostol-A is a multi-component backdoor Trojan which may also be used to hide malicious processes on the computer.

The first dropper component, which may be downloaded as SETTER.EXE by Troj/Wort-B, drops and executes a file called LCVGA.EXE to the Windows system folder, dropping it first to a file with a TMP extension, then deleting any existing file in the folder called LCVGA.EXE, and then moving the TMP file to this name. Troj/Hostol-A creates the following registry entry to run the dropped file on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\lcvga

Troj/Hostol-A also creates a service with a Display and Service name of "lcvga" in order to run this dropped file on system startup.

Troj/Hostol-A may delete the SETTER.EXE dropper component and may delete registry entries at the following location:

HKCU\SOFTWARE\Numega

The file LCVGA.EXE acts as a further dropper which drops a kernel mode driver to a file OTHOST.SYS in the DRIVERS subfolder of the Windows system folder. It also creates a service with a Display and Service name of "othost" in order to run itself as a driver on system startup.

The driver OTHOST.SYS may attempt to stealth processes by manipulating the entries in the device descriptor table.

The file LCVGA.EXE also drops a file into memory which it then runs using its own loader code, effectively bypassing the operating system. This file is detected as Troj/Mastseq-A but is never actually written as a file to disk.

Troj/Hostol-A may also drop data files with filenames which include the following:

PBMP.NLS
RASHM.VTD