Troj/Stinx-N

Please follow the instructions for removing Trojans.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\

and remove any reference to any file you deleted.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\

and remove any reference to any file you deleted.

Close the registry editor.

Troj/Stinx-N is a backdoor Trojan for the Windows platform.

Troj/Stinx-N includes functionality to download and execute further code, and attempts to disable various security related processes.

At the time of writing Troj/Stinx-N is being agressively spammed out in emails with subject lines such as the following:

Campus Student Raped
Do you recognise this person?
Rape on Campus

The Trojan is included as an attachment, typically named "suspicious photo.exe", which the recipient is encouraged to open. The body of the email message is typically as follows:

Hello,

During the early morning of January 25 2006, a campus student was the victim of a horrific sexual assault within college grounds. Eyewitnesses report a tall black man in grey pants running away from the scene. Campus CCTV has caught this man on camera and are looking for ways to identify him. If anyone recognises the attached picture could they inform administraion immediatly

Regards,

Robert Atkins
Campus Administration

All information contained within this e-mail, including any attachment, is
confidential. If you have received this e-mail in error, please delete it
immediately. Do not use, disclose or spread the information in any way and notify the sender immediately. Any views and opinions expressed in this e-mail may not represent those of Business Monthly

The following emails have also been seen distributing Troj/Stinx-N:

Subject line:
Photo Approval Required

Message text:
Hello,

Your photograph has reached editing stage as part of an article we are publishing for our February edition of Traders World Monthly. Can you check over the format and get back to us with your approval or any changes?
If the picture is not to your liking then please send a preferred one. We've attached the photo with the article here.

Kind regards,

Jamie Andrews
Editor
TradersWorld

Subject line:
Payment Receipt

Message text:
Dear customer.

Thank you for your subscription to http://www.<adult-website>.com

You have been billed as Paycom LLC for the amount of: USA 49.99 for 30 days then USA 39.99 recurring every 30 days.

Time: 2006-1-05 20:38
Transaction ID: 965658
Amount: GBP 49.99
Applied to Account0: 10915104
Payment Method: VISA

Your new subscription identification number is:10915104, please keep this number in a safe place as it will be required for reference in all future correspondence regarding your membership. Troj/Stinx-N is a backdoor Trojan for the Windows platform.

Troj/Stinx-N includes functionality to download and execute further code, and attempts to disable various security related processes.

When first run Troj/Stinx-N copies itself to <Windows system folder>\csrwjd.exe

The following registry entries are created to run cstsm.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ProtocolEventTsk
csrwjd.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ProtocolEventTsk
csrwjd.exe

At the time of writing Troj/Stinx-N is being agressively spammed out in emails with subject lines such as the following:

Campus Student Raped
Do you recognise this person?
Rape on Campus

The Trojan is included as an attachment, typically named "suspicious photo.exe", which the recipient is encouraged to open. The body of the email message is typically as follows:

Hello,

During the early morning of January 25 2006, a campus student was the victim of a horrific sexual assault within college grounds. Eyewitnesses report a tall black man in grey pants running away from the scene. Campus CCTV has caught this man on camera and are looking for ways to identify him. If anyone recognises the attached picture could they inform administraion immediatly

Regards,

Robert Atkins
Campus Administration

All information contained within this e-mail, including any attachment, is
confidential. If you have received this e-mail in error, please delete it
immediately. Do not use, disclose or spread the information in any way and notify the sender immediately. Any views and opinions expressed in this e-mail may not represent those of Business Monthly

The following emails have also been seen distributing Troj/Stinx-N:

Subject line:
Photo Approval Required

Message text:
Hello,

Your photograph has reached editing stage as part of an article we are publishing for our February edition of Traders World Monthly. Can you check over the format and get back to us with your approval or any changes?
If the picture is not to your liking then please send a preferred one. We've attached the photo with the article here.

Kind regards,

Jamie Andrews
Editor
TradersWorld

Subject line:
Payment Receipt

Message text:
Dear customer.

Thank you for your subscription to http://www.<adult-website>.com

You have been billed as Paycom LLC for the amount of: USA 49.99 for 30 days then USA 39.99 recurring every 30 days.

Time: 2006-1-05 20:38
Transaction ID: 965658
Amount: GBP 49.99
Applied to Account0: 10915104
Payment Method: VISA

Your new subscription identification number is:10915104, please keep this number in a safe place as it will be required for reference in all future correspondence regarding your membership.