Troj/Nyrubot-A

Please follow the instructions for removing Trojans.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Internat= <Windows folder>\msgsrv32.exe.

and delete it if it exists.

Close the registry editor.

Troj/Nyrubot-A is a backdoor Trojan. When run the Trojan copies itself to msgsrv32.exe in the Windows folder and ensure that the copy is run each time Windows starts by adding the following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Internat= <Windows folder>\msgsrv32.exe.

Troj/Nyrubot-A also sets the following registry entries :
HKCU\Software\Microsoft\Windows\CurrentVersion\from = yugoar@centrum.cz
HKCU\Software\Microsoft\Windows\CurrentVersion\rcpt = yugoar@centrum.cz
HKCU\Software\Microsoft\Windows\CurrentVersion\smtp = data2.centrum.cz
HKCU\Software\Microsoft\Windows\CurrentVersion\tuin = 272324532
HKCU\Software\Microsoft\Windows\CurrentVersion\time_last_msg = <number>

The Trojan allows a remote attacker to control an affected computer via IRC.

One method by which this Trojan is distributed is as follows. An email in HTML format is sent. The email attempts to link to a remote website and run a script downloaded from the website. The script creates and runs the file C:\baal.exe. Baal.exe downloads an runs the Trojan from a second website. Troj/Nyrubot-A deletes C:\baal.exe.