Antivirus Software Reviews, Ratings, Comparisons

This Trojan may be downloaded unknowingly by a user when visiting malicious Web sites. It creates folders. It drops copies of itself.

Upon execution, it displays the following interface:

It creates registry entries to enable its automatic execution at every system startup. It creates registry key(s)/entry(ies).

This is the Trend Micro detection for suspicious files that manifest similar behavior and characteristics to those of TROJ_AGENT, WORM_RBOT, or TROJ_MANCSYN variants.

For support on detected files, samples may be submitted to Trend Micro. Detailed analysis will be done on submitted samples and corresponding cleaning instructions may be applied, if necessary.

To submit files, please refer to the Solution section.

This JavaScript may be hosted on a Web site and run when a user accesses the said Web site.

This JavaScript connects to remote URLs. As a result, malicious routines of the downloaded files are exhibited on the affected system. However, note that as of this writing, the said URLs are inaccessible.

This is the Trend Micro heuristic detection for suspicious files that manifest similar behavior and characteristics as malware packed by Morphine.

If your Trend Micro product detects a file under this detection name, do not execute the file. Delete it immediately especially if it came from an untrusted or an unknown source (e.g., a Web site of doubtful nature). However, if you have reason to believe that the detected file is non-malicious, you can submit a sample for analysis. Detailed analysis will be done on submitted samples, and corresponding removal instructions will be provided, if necessary.

This is the Trend Micro heuristic detection for suspicious files that manifest similar behavior and characteristics as the following malware:

• PE_VIRUT

If your Trend Micro product detects a file under this detection name, do not execute the file. Delete it immediately especially if it came from an untrusted or an unknown source (e.g., a Web site of doubtful nature). However, if you have reason to believe that the detected file is non-malicious, you can submit a sample for analysis. Detailed analysis will be done on submitted samples, and corresponding removal instructions will be provided, if necessary.

This is the Trend Micro heuristic detection for suspicious files packed by YodaÂ’s Protector.

If your Trend Micro product detects a file under this detection name, do not execute the file. Delete it immediately especially if it came from an untrusted or an unknown source (e.g., a Web site of doubtful nature). However, if you have reason to believe that the detected file is non-malicious, you can submit a sample for analysis. Detailed analysis will be done on submitted samples, and corresponding removal instructions will be provided, if necessary.

This worm arrives as attachment to email messages spammed by another malware or a malicious user. It may be dropped by other malware. It may be downloaded unknowingly by a user when visiting malicious Web sites.

It creates registry key(s)/entry(ies) as part of its installation routine. It modifies registry key(s)/entry(ies) as part of its installation routine.

It drops files/components. Trend Micro detects some of the dropped files as WORM_GENERIC. As a result, malicious routines of the downloaded files are exhibited on the affected system.

It connects to a certain Web site possibly to download files.

This worm propagates by attaching a copy of itself to email messages, which it sends to target addresses, using its own Simple Mail Transfer Protocol (SMTP) engine.

The email message it sends out has the following details:

Subject: {blank}

Message body: (any of the following)

• Penjarakan Koruptor, Penyelundup, Tukang Suap, & Bandar NARKOBA

• SAY NO TO DRUGS !!!

• Stop Free Sex, Aborsi, & Prostitusi?brA( Go To HELL )

• Stop pencemaran lingkungan, pembakaran hutan & perburuan liar.

Attachment: (any of the following)

• CCAPPS.EXE

• KANGEN.EXE

• MYHEART.EXE

• SYSLOVE.EXE

• UNTUKMU.EXE

• WINWORD.EXE

This worm has several autostart routines that ensure its execution every time the machine restarts in normal or safe mode and every time an instance of the command prompt is opened.

It modifies the registry to disable registry tools, and to hide the affected machine's hidden and system files. In addition, it also hides file extension names.

It restarts the affected system whenever it finds an open window with specific strings in the title bar. It also terminates Task Manager and Process Explorer.

On systems running Windows NT, 2000, XP, and Server 2003, this worm overwrites the HOSTS file located at %System%\drivers\etc with an .HTML file. It does the said routine to prevent the affected system from accessing Web sites that are mostly related to antivirus and security applications.