Trojan.Verprud

1 December 2010 Trojan 0 Comment

Trojan.Verprud is a cookie-stealing Trojan that was created for this sole purpose. Trojan.Verprud will lower security settings on the infected computer by disabling protected mode on Internet Explorer version 8.

Technical Information:

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7

Manual Removal of Trojan.Verprud:

1. Temporarily Disable System Restore (Windows Me/XP/Vista/7) . [how to]
2. Update the virus definitions.
3. Restart Windows in SafeMode [how to]
4. Run a full system scan and clean/delete all infected file(s)
5. Delete/Modify any values added to the registry. [how to edit registry]
6. Exit registry editor and restart Windows.

Online Virus Scanner:
Another way to remove a virus without the need to install additional anti-virus application is to perform a thorough scan with free Online Virus Scanner that can be found here or on websites of legitimate anti-virus and security provider.

Technical Details and Additional Information:

Other functionalities of this Trojan:
- Steal cookies from Firefox
- Injects a new thread into selected processes
- Stops various processes

Malicious Files Added by Trojan.Verprud:
%System%\appconf32.exe
%System%\cock
%System%\xmldm

Associated Windows Registry Entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\”Userinit” = “%System%\userinit.exe,%System%\appconf32.exe,”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\”del” = “%CurrentFolder%\[ORIGINAL THREAT FILE NAME].exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\”prd” = “[RANDOM URL]”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\”vendor” = “Old”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\”ver” = “[THREE NUMBERS]”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\”w8″ = “USA_[ENCRYPTED STRING]”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\prh\”prh” = “[RANDOM URL]“

What to do next...