Troj/LeechPie-D

Please follow the instructions for removing Trojans.

Troj/LeechPie-D is a multi-component backdoor Trojan for the Windows platform.

When Troj/LeechPie-D is installed the following files are created:

<Windows>\pk.log
<Windows>\un\ComDlg.dll
<Windows>\un\ComDlg.ocx
<Windows>\un\CommonDlg32.pk1
<Windows>\un\CommonDlg32.pk2
<Windows>\un\acls.exe
<Windows>\un\admdll.dll
<Windows>\un\confini.exe
<Windows>\un\delsrv.exe
<Windows>\un\dtreg.exe
<Windows>\un\exe.bat
<Windows>\un\exec.bat
<Windows>\un\hiderun.exe
<Windows>\un\kill.exe
<Windows>\un\ntsvc.ocx
<Windows>\un\scvhost.exe
<Windows>\un\secure.exe
<Windows>\un\secure2.exe
<Windows>\un\serv.exe
<Windows>\un\wmc.exe
<System>\QuicktmeLib.dll

The files confini.exe, exe.bat, secure2.exe and QuicktmeLib.dll are also detected as Troj/LeechPie-D. The file acls.exe is detected as Troj/ServU-BD.

The remaining files are not inherently malicious but are used by the Trojan and should be deleted.

The Trojan records information about its installation in the file pk.log.

When first installed, the Trojan attempts to remove the following services:

eventlsvc
lspool
netddc
nvsvc64
nvsvcsrv
pnpext
r_server
Serv-U
tcp-ip
TlntSvr
winman

The Trojan attempts to kill the following processes:

cygwin1.dll
lspool.exe
Msconfig.exe
nvsvc.exe
nvsvc_client.exe
nvsvc64.exe

The Trojan may move the following files into the Windows system folder:

acls.exe
admdll.dll
ComDlg.dll
ComDlg.ocx
CommonDlg32.pk1
CommonDlg32.pk2
NTSVC.ocx
scvhost.exe
wmc.exe

The file wmc.exe is a legitimate remote administration tool. This tool is installed as a service "pnpext" with registry entries created in the following locations:

HKLM\SYSTEM\RAdmin
HKLM\SYSTEM\CurrentControlSet\Services\pnpext
HKLM\SYSTEM\CurrentControlSet\Control\Lsa

The Trojan attempts to change firewall settings to register wmc.exe and acls.exe as allowed programs.

The Trojan attempts to disable McAfee anti-virus software for the duration of the installation.