Trojan.Mdropper.Z
Trojan.Mdropper.Z may arrive on computers as an email attachment to spam messages. When executed, Trojan.Mdropper.Z will exploit the Microsoft Word Workspace Memory Corruption Remote Code Execution Vulnerability (BID 25906) for Microsoft Word 2000 and XP to be able to drop and run malicious executable file from a remote server.
Technical Information:
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7
Manual Removal of Trojan.Mdropper.Z:
1. Temporarily Disable System Restore (Windows Me/XP/Vista/7) . [how to]
2. Update the virus definitions.
3. Restart Windows in SafeMode [how to]
4. Run a full system scan and clean/delete all infected file(s)
5. Delete/Modify any values added to the registry. [how to edit registry]
6. Exit registry editor and restart Windows.
Online Virus Scanner:
Another way to remove a virus without the need to install additional anti-virus application is to perform a thorough scan with free Online Virus Scanner that can be found here or on websites of legitimate anti-virus and security provider.
Technical Details and Additional Information:
Other functionalities of this Trojan:
- Uses rootkit technique
- Disable any installed security program
- Opens a backdoor port on the compromised computer
Malicious Files Added by Trojan.Mdropper.Z:
hope see again.doc
%Temp%\csrse.exe
%System%\msmsgs.exe
%Temp%\drv.tak
%Windir%\bus675.sys
%Windir%\tmp.drv
C:\Documents and Settings\All Users\Application Data\Microsoft\Comon\ctfmon.exe
Associated Windows Registry Entries:
HKEY_USERS\Software\Microsoft\Windows\Current Version\Explorer\User Shell Folder\”Startup” = “C:\Documents and Settings\All Users\Application Data\Microsoft\Comon\ctfmon.exe”