Trojan.Wsnpoem
Trojan.Wsnpoem is a Trojan horse for Windows operating system. This Trojan may access the Internet and receive commands from a remote server using an HTTP request.
Alias: Win32/Kollah.NU, W32/Zbot, TROJ_ZBOT.AJD, TROJ_ZBOT.QT, Generic PWS.y!F1684D85, TROJ_ZBOT.AJR, Troj/Zbot-AX, Troj/Zbot-BD, Troj/BckDoor-B, Troj/Zbot-CK, Troj/Agent-KZY, Troj/Dloadr-CXH
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Windows Vista
Characteristics
Upon execution, this Trojan will drop multiple files under System folder of Windows. It will also end running process for files outpost.exe and zlclient.exe
Next, it will locate the folder WSNPOEM and sets it to hidden attribute.
Additionally, Trojan.Wsnpoem may redirect network traffic and open a backdoor port on the infected computer that may allow a remote attacker to gain unauthorized access.
Distribution
This Trojan typically spreads on spam operation. It disguises as an email message from DHL that contains attached “Delivery_Info.ZIP” that is actually a Trojan encrypted to conceal itself from anti-virus programs. The full spam email may contain these messages:
Added Registry Entries:Dear Customer,
The courier service was not able to deliver your parcel at your address.
Cause: Mistake in address
You may pick up the parcel at our post office personally.
The delivery advice is attached to this e-mail.
Print this label to get this package at out post office.
Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you,
DHL Delivery Services.Dear Customer,
Your package has been returned to the DHL office.
The reason of the return is – Incorrect delivery address of the package!
Attached to the letter mailing label contains the details of package delivery.
You have to print mailing label, and come in the DHL office in order to receive the packages.
Thank you for your attention.
DHL International
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"userinit" = "%System%\ntos.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\"UID" = "[COMPUTERNAME]_[UNIQUE_ID]"Associated Files and Folders:
%System%\ntos.exe %System%\wsnpoem\audio.dll %System%\wsnpoem\video.dll
How to Remove Trojan.Wsnpoem
1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. To be able to identify even the most recent variant of Trojan.Wsnpoem, open your antivirus application and update the virus definition file.
3. Start Windows in Safe Mode with Networking.
- From a power-off state, turn on the computer and press F8 on your keyboard repeatedly.
- Your computer will display Windows Advanced Boot Options menu. Please select Safe Mode with Networking.
- The system will now boot Windows and loads only necessary drivers and files.
4. Open your antivirus program and run a full system scan. After the scan, delete all infected items. If unable to delete, better place them in quarantine. Once the scan is complete, please proceed with the next step.
Scan with Norton Power Eraser:
Free tool from Symantec called Norton Power Eraser provides deep scanning technology to detect and remote threats like Trojan.Wsnpoem. NPE targets and eliminate threats that regular virus scan fails to identify. Download NPE here.
Important! Because of Norton Power Eraser’s aggressive method, it can select even legitimate files as suspicious. Please use this tool very carefully.