Virus.Win32.Virut.ce can infect and overwrite files to be able to execute and spread itself. Virus.Win32.Virut.ce can also block access to security websites by modifying the Windows Hosts file. It can also inject malicious iframe on web files such as .HTM, .PHP or .ASP. The Trojan will badly infect .exe and .scr files on the computer resulting to severe malfunctions.

Category: Trojan Horse

Risk Level: High

Aliases:

• W32.Virut.CF
• W32/Virut.n
• PE_VIRUX.A-1
• W32/Scribble-A
• Virus:Win32/Virut.BM

Technical Details

Characteristics:
Virus.Win32.Virut.ce will infect executable files under MS Windows systems. The virus is a Windows PE EXE file that is polymorphic in nature. This Trojan will embed malicious code into processes running on the compromised computer. Next, the code seizes critical system functions to trace running application and open files. Upon detecting an initiated application, it infects the main executable file. Since this is a polymorphic PE EXE virus, it will write its own code on expanded PE portion of file. This action will result to the adjustment of the program’s entry point, which leads to the execution of the virus code.

The virus may infect every executable item very badly. It renders the compromised file irrecoverable. Antivirus applications may attempt to remove part of the infected code but the result is catastrophic. What the virus does is irreversible.

Distribution Method:
Computer users may acquire Virus.Win32.Virut.ce in various ways. Web site employing a drive-by-download method can instantly drop and execute this Trojan on visitor’s computer. Another means to spread this infection is through spam email messages and peer-to-peer network connections.

When it is set inside the computer, it monitors running processes and inject its code into the address space. It is intended to infect other executable files that have .exe and .scr extensions.

Recommended Virus.Win32.Virut.ce Removal Procedure

1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. Update the virus definitions.
3. Reboot computer in SafeMode [how to]
4. Run a full system scan and clean/delete all infected file(s)
5. In order to make sure that threat is completely eliminated from your computer, carry out a full scan of your computer using AntiVirus and Antispyware Software. Another way to delete the virus using various Antivirus Program without the need to install can be done with Online Virus Scanner.

go.google, go.yahoo and go.msn are browser hijacker that dominantly redirect web browser to a fake online virus scanner web sites. go.google and go.yahoo existence is a result of a Trojan infection that has a payload of modifying browser settings, disable locally installed security programs and monitor Internet activity of the infected computer.

go.google, go.yahoo and go.msn web sites do not exist. It is an error page created locally that is configured to redirect to various fake security web sites. The site will run a fake online virus scanner that later detects numerous types of computer infections. It will advise visitors to clean these threats using a recommended tool. However, before the program can proceed to its scan and detect features, user must purchase first the registration key. This tactic is a clear indication of a fraud activity perpetuated by fake antivirus applications.

Screen Shot:

Category: Trojan Horse

Risk Level: Medium

Technical Details

Characteristics:
go.google.com, go.yahoo.com and go.msn.com are odd Internet browser behavior that can be attributed as browser hijacker. This infection is brought about by a Trojan infection that may also cause multiple system misbehavior. The obvious sign for this type of infection on the computer is having the home page or search result be forwarded to any of the mentioned deficient domains.

Once the Trojan invades the system, it will drop the following malicious files to accomplish its objective:
C:\Program Files\Mozilla Firefox\plugins\NPAskSBr.dll
C:\WINDOWS\karna.dat
C:\WINDOWS\system32\karna.dat
C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\wini10802.
C:\WINDOWS\system32\brastk.exe
C:\WINDOWS\system32\TDSS(four random characters).dll
C:\WINDOWS\system32\drivers\TDSSserv.sys
C:\WINDOWS\system32\drivers\TDSS(four random characters).sys

Next, it will conquer the registry to obtain start-up spot. It adds the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata
HKEY_LOCAL_MACHINE\SOFTWARE\tdss
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastk
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastk

Recommended go.google – go.yahoo Removal Procedure

Here is a simple step-by-step procedure to remove go.google – go.yahoo virus from an infected computer. Please follow the steps carefully.

1. Download Malwarebytes’ Anti-Malware (mbam-setup.exe) and save it on your Desktop or any accessible location of your hard drive.

2. After downloading, double-click on the file to install the application.

3. Follow the prompts and install the program using the “default” settings.

4. Before the installation completes, check on the following prompts:
- Update Malwarebytes’ Anti-Malware
- Launch Malwarebytes’ Anti-Malware

5. Click Finish. Program will run automatically and you will be prompt to update the program before starting a scan. Please proceed with update to obtain the latest database necessary to detect and remove go.google – go.yahoo.

6. Scan your computer thoroughly and completely check all files, folders and registry entries for possible infection.

7. When scanning is finished, click on Show Results.

8. Make sure that all detected threats are marked, click on Remove Selected.

9. After removing items associated with go.google – go.yahoo, it will prompt to restart the computer. Click Yes to complete the cleaning process.

10. When computer starts, open MalwareBytes Anti-Malware. Go to Quarantine tab and click on Delete All to fully remove all malicious items.

Note: go.google – go.yahoo – go.msn infection may prevent mbam-setup.exe from downloading and running. You can download and rename this program from a different computer before running it on infected system.

Trojan.Zlob.K is a Trojan horse that may download and execute remote files and redirect Internet Explorer home page and search page to a different address. It may add encryption key to certain folders to hide associated files or any stolen data from the compromised computer.

Category: Trojan Horse

Risk Level: Low

Aliases:

• TROJ_ZLOB.MU
• Trojan-Downloader.Win32.Zlob.s
• Downloader-XC
• Trojan.Zlob.B

Technical Details

Characteristics:
Since Trojan.Zlob.K is a downloader, its goal is to download additional malware. It will communicate to predefined web sites, fetch malicious data, and run them on the infected computer.

Once activated, the Trojan may drop the following files:
%System%\ncompat.tlb
%System%\interf.tlb
%System%\hp[RANDOM CHARACTERS].tmp

Then, it will add the following registry entry so that it executes on every Windows start-up:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\”nvctrl.exe” = “nvctrl.exe”

To gain automatic start-up when running Windows Explorer, this Trojan will set the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
notepad.exe
msmsgs.exe

Additional registry entry that calls the application file msmsgs.exe is added. This will also allow Trojan.Zlob.K to run on every Windows start-up.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell = “msmsgs.exe”

Lastly, the Trojan will hide malicious activities by injecting codes into legitimate file Explorer.exe.

Distribution Method:
Trojan.Zlob.K may arrive on target computer by means of another Trojan infection.

Recommended Trojan.Zlob.K Removal Procedure

1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. Update the virus definitions.
3. Reboot computer in SafeMode [how to]
4. Run a full system scan and clean/delete all infected file(s)
5. Delete/Modify any values added to the registry. [how to edit registry]
Navigate to and delete the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\”nvctrl.exe”
= “nvctrl.exe”

6. Exit registry editor and restart the computer.
7. In order to make sure that threat is completely eliminated from your computer, carry out a full scan of your computer using AntiVirus and Antispyware Software. Another way to delete the virus using various Antivirus Program without the need to install can be done with Online Virus Scanner.

Trojan.Galapoper.A is a computer infection that when executed will communicate to a remote server to download additional risks onto target system. This Trojan may also steal user’s data and send it to an attacker using HTTP POST protocol or email communication. Trojan.Galapoper.A and its variants habitually download Trojans from other groups of Downloaders, which may result to additional infections.

Category: Trojan Horse

Risk Level: Low

Aliases:

• Trojan-Downloader.TIBS
• Trojan.Galapoper.A
• Trojan-Downloader.Win32.Tibs.il
• Tibs
• WORM_NUCRP.GEN
• Mal/TibsPak, Mal/HckPk-A, Troj/Tibs-Fam
• TrojanDownloader:Win32/Vxidl.gen!A
• Trojan-Downloader.Win32.Tibs
• Win-Trojan/Tibs.7346.DN

Technical Details

Characteristics:
When executed, Trojan.Galapoper.A will avoid antivirus detection by applying a method of obfuscation. IT also performs the following set of operations:

• Inform an attacker of computer infection through email
• Create a copy of itself to various locations of the compromised system
• Drop a number of infected and clean files
• Communicate to predefined web sites to execute more malware
• Disable any installed antivirus, firewall, and other security-related software
• Steal sensitive information and send the gathered data to a remote attacker via email or HTTP POST protocol

Distribution Method:
This Trojan will arrive on computer with filename “zhopaizdupla.exe.” It is dropped by another Trojan infection that is usually obtained from malicious web sites and unsecured peer-to-peer connection.

Recommended Trojan.Galapoper.A Removal Procedure

1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. Update the virus definitions.
3. Reboot computer in SafeMode [how to]
4. Run a full system scan and clean/delete all infected file(s)
5. Delete/Modify any values added to the registry. [how to edit registry]
Navigate to and delete the following registry entry:
HKEY_CURRENT_USER = “WindowsSubVersion” = “[VALUE]“

6. Exit registry editor and restart the computer.
7. In order to make sure that threat is completely eliminated from your computer, carry out a full scan of your computer using AntiVirus and Antispyware Software. Another way to delete the virus using various Antivirus Program without the need to install can be done with Online Virus Scanner.

Trojan.Zlob.J is a member of a Zlob family that refers to a large group of malware involving in malicious acts like modifying Internet browsers, redirect home page and search results, install fake security applications, and execute arbitrary file from a remote server. Trojan.Zlob.J also allows a remote attacker to access the compromised computer. Thus, the attacker may perform malicious actions and steal sensitive data from the infected system.

Category: Trojan Horse

Risk Level: Medium

Technical Details

Characteristics:
Upon execution, Trojan.Zlob.J will drop the following harmful files:
%System%\ld[RANDOM CHARACTERS].tmp
%System%\dfrgsrv.exe

To gain automatic start-up spot, the Trojan will modify Windows registry and add the following entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
“wininet.dll” = “dfrgsrv.exe”

Alternative start-up method is to inject malicious code into the following Windows process that runs when Windows starts:
winlogon.exe

Once running on the compromised system, Trojan.Zlob.J will monitor Internet activities and may modify settings of the home page.
Lastly, the Trojan will establish an HTTP connection to specified URL and performs the following actions:

• Ping the remote computer
• Send a status report regarding the infected system
• Download and execute remote files, which upgrade itself

Distribution Method:
Trojan.Zlob.J uses the web primarily to spread a copy of itself. Malicious web sites, infected web pages and unsafe file-sharing networks are the top sources of this Trojan. Once inside the computer, it may contaminate other files locally but will never spread on neighboring computers.

Recommended Trojan.Zlob.J Removal Procedure

1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. Update the virus definitions.
3. Reboot computer in SafeMode [how to]
4. Run a full system scan and clean/delete all infected file(s)
5. Delete/Modify any values added to the registry. [how to edit registry]
Navigate to and delete the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run “wininet.dll” = “dfrgsrv.exe”

6. Exit registry editor and restart the computer.
7. In order to make sure that threat is completely eliminated from your computer, carry out a full scan of your computer using AntiVirus and Antispyware Software. Another way to delete the virus using various Antivirus Program without the need to install can be done with Online Virus Scanner.