McAfee > Theat Center > Virus Detail Page

Overview

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

File Properties

File Name : Xp.exe
Size         : 66,048 bytes
MD5         : 0709C498C40B4987B0E181B00274C7B6
SHA1        : 45D3C1023A160B2F7D07CF5A508756C391985752

Aliases

Kaspersky :Trojan.Win32.Dialer.ext   
Ikarus       :Trojan.Win32.Dialer   
Ahnlab       :Win-Trojan/Downloader.48640.AI   
Sophos      :Mal/EncPk- 

Characteristics

System Changes

It enables backdoor functionalities by connecting to a remote site and performing actions as programmed by a remote attacker.

The following folders have been added to the system:

• %SystemDrive%\DATA
• %SystemDrive%\DATA\SYSTEM

The following files have been added to the system:

• %SystemDrive%\DATA\SYSTEM\Desktop.ini
• %SystemDrive%\DATA\SYSTEM\Xp.exe

When executing the Xp.exe it creates a copy of itself in the system.

It uses explorer.exe to perform malicious activities.

The following registry elements have been added

HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Active Setup\Installed Components\{67KLN5J0-4OPM-00WE-AAX5-74KC2A323342}
"StubPath" ="%SystemDrive%\DATA\SYSTEM\Xp.exe"

The above mentioned registry entry allows its copy to automatically run every time when windows starts.

These defaults for typical path variables. (Although they may differ, these are common examples)
%SystemDrive% = the drives were Windows is installed(C: will be the default in most of the computers)

Symptoms

The server component is installed on the victim machine, typically into %WinDir% or %WinDir%\System. System startup is generally hooked via a Registry key or adding an entry into the WIN.INI or SYSTEM.INI system files.

Method of Infection

Once the server component is installed on the victim machine, it opens a port and typically issues a notification to the hacker. The hacker can then connect to that machine using the client component

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants

Variants

N/A

All Information

Overview -

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

File Properties

File Name : Xp.exe
Size         : 66,048 bytes
MD5         : 0709C498C40B4987B0E181B00274C7B6
SHA1        : 45D3C1023A160B2F7D07CF5A508756C391985752

Aliases

Kaspersky :Trojan.Win32.Dialer.ext   
Ikarus       :Trojan.Win32.Dialer   
Ahnlab       :Win-Trojan/Downloader.48640.AI   
Sophos      :Mal/EncPk- 

Characteristics

Characteristics -

System Changes

It enables backdoor functionalities by connecting to a remote site and performing actions as programmed by a remote attacker.

The following folders have been added to the system:

• %SystemDrive%\DATA
• %SystemDrive%\DATA\SYSTEM

The following files have been added to the system:

• %SystemDrive%\DATA\SYSTEM\Desktop.ini
• %SystemDrive%\DATA\SYSTEM\Xp.exe

When executing the Xp.exe it creates a copy of itself in the system.

It uses explorer.exe to perform malicious activities.

The following registry elements have been added

HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Active Setup\Installed Components\{67KLN5J0-4OPM-00WE-AAX5-74KC2A323342}
"StubPath" ="%SystemDrive%\DATA\SYSTEM\Xp.exe"

The above mentioned registry entry allows its copy to automatically run every time when windows starts.

These defaults for typical path variables. (Although they may differ, these are common examples)
%SystemDrive% = the drives were Windows is installed(C: will be the default in most of the computers)

Symptoms

Symptoms -

The server component is installed on the victim machine, typically into %WinDir% or %WinDir%\System. System startup is generally hooked via a Registry key or adding an entry into the WIN.INI or SYSTEM.INI system files.

Method of Infection

Method of Infection -

Once the server component is installed on the victim machine, it opens a port and typically issues a notification to the hacker. The hacker can then connect to that machine using the client component

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants

Variants -

N/A