Troj/Peper-A

Windows 95/98/Me

If Sophos Anti-Virus is not already installed on the computer either use the DOS version from the DOS folder on the Sophos CD, or download it and extract it. Copy the files into a C:\Sophtemp directory on your computer.

Restart the computer in DOS mode

• On Windows 95/98 go to the Start menu and select Shut Down. Choose the option 'Restart the computer in DOS mode'.
• On Windows Me create a startup disk and boot from that. Go to Start|Settings|Control Panel. Click 'Add/Remove Programs', select the 'Startup Disk' tab and click the 'Create Disk' button. When you have created the startup disk, write-protect it and boot from it. Remove the floppy disk from the A: drive.

• If you have a full Sophos Anti-Virus installation type
  CD C:\PROGRA~1\SOPHOS~1
  (alternatively CD C:\PROGRA~1\SOPHOS~2). Type DIR *.TXT to check that the file READ95.TXT is listed (if it is not, try the alternative directory).
• If you are using the Sophtemp directory type
  CD C:\SOPHTEMP

SWEEP C: -REMOVEF -P=LOGFILE.TXT

Reboot to Windows.

You will need to edit the following registry entry, if it is present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

and remove any reference to any file you deleted.

Close the registry editor.

Windows 2000/XP

Restart the computer in Safe Mode. Go to Start|Shut Down. Select Restart from the drop down list and click OK. Windows will restart. Press F8 when you see the following text at the bottom of the screen "For troubleshooting and advanced startup options for Windows 2000, press F8". In the Windows 2000 Advanced Options Menu select the third option 'Safe Mode with Command Prompt'.

If Sophos Anti-Virus is not already installed on the computer either use SAV32CLI from the Sophos CD or download an emergency copy on an uninfected computer, extract it and write it to CD.

At the command prompt type

CD C:\Program files\Sophos SWEEP for NT

(or, if you are using a CD, insert it and type CD D:\WIN32\I386\SAV32CLI or CD D:\SAV32CLI).

Then type:

SAV32CLI -REMOVE -P=C:\LOGFILE.TXT

to remove the Trojan.

Check to see if all of the Trojan files have been deleted. If they have not, the file names and paths will be in LOGFILE.TXT. Change to the directory where each Trojan file is and type

ATTRIB -S -H TROJAN.EXE

where 'TROJAN.EXE' is the name of the Trojan.

Then run another scan with SAV32CLI as above to remove the remaining files.

You will need to edit the following registry entry, if it is present. Please read the warning about editing the registry.

Type

REGEDIT

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

and remove any reference to any file you deleted.

Close the registry editor.

Windows NT

Please contact technical support.

Other platforms

Please read the instructions for removing Trojans.

Troj/Peper-A is a Trojan which downloads files from the internet to the victim's computer.

Troj/Peper-A drops several copies of itself, with system and hidden attributes set, within the Windows system folder as randomly-named EXE files and adds an entry to the registry at

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

to run itself on system restart.

Note, the entry in the registry may point to a different copy of the Trojan after every reboot.

Troj/Peper-A also drops a hidden encrypted data file within the Windows system folder which contains information about the copies of the Trojan on the disk.

Troj/Peper-A has two copies of itself running at any time, one to download files from the internet and one to monitor the current processes IDs to make sure it is running. Thus, if one copy is terminated using the Task Manager, another copy is immediately started.