Troj/Icedoor-A

Please follow the instructions for removing Trojans.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
asvhost.exe
asvhost.exe

and delete it if it exists.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKU\[code number]\Software\Microsoft\Windows\CurrentVersion\Run\
asvhost.exe
asvhost.exe

and delete it if it exists.

Close the registry editor.

Troj/Icedoor-A is a backdoor Trojan for the Windows platform.

Troj/Icedoor-A connects to the internet and tries to establish contact with and download code from several preconfigured locations as well as opening up a backdoor port on the infected computer.

Troj/Icedoor-A copies itself to the Windows system folder and creates the following registry entries to run itself automatically at log on:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
asvhost.exe
asvhost.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
asvhost.exe
asvhost.exe

Troj/Icedoor-A also creates a number of other registry entries beneath the main entry

HKCR\CLSID\
{FBB13C90-29C0-4233-B967-BB6DE54FE92A}

Troj/Icedoor-A creates a text file in the Windows system folder named "port.txt" which contains the hexadecimal port number of the backdoor it has opened.