Troj/Mifeng-K

Please follow the instructions for removing Trojans.

Troj/Mifeng-K is a backdoor Trojan for the Windows platform.

Troj/Mifeng-K includes functionality to access the internet and communicate with a remote server via HTTP.

When first run Troj/Mifeng-K copies itself to:

<Windows folder>\IsUn0404.exe
<Windows folder>\IsUn0804.exe
<Windows folder>\IsUninst.exe
<Windows system folder>\smss.exe

and creates the following files:

<Windows system folder>\autoexec.bat
<Windows system folder>\bootex.log

Troj/Mifeng-K also creates several copies of itself in the Windows system folder with randomly chosen file names with the SCR file extension.

The following registry entries are created to run smss.exe and one of the SCR
files:

HKCU\Control Panel\Desktop
SCRNSAVE.EXE
<Windows system folder>\<random name>.scr

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
internet
"<Windows system folder>\smss.exe"

The following registry entry is set, so that smss.exe is run when files with extensions of TXT are opened/launched:

HKCR\txtfile\shell\open\command
(default)
"<Windows system folder>\smss.exe" "%1"

Registry entries are set as follows:

HKCR\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden
NOHIDDEN
CheckedValue
2

HKCR\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden
NOHIDDEN
DefaultValue
2

HKCR\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden
SHOWALL
CheckedValue
1

HKCR\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden
SHOWALL
DefaultValue
1

HKCR\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder
SuperHidden
CheckedValue
0

HKCR\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder
SuperHidden
UncheckedValue
0