How to Prevent and Remove the Trojan-PWS.Win32.VB

Bookmark and Share

 

1. What is the Trojan-PWS.Win32.VB

Trojan-PWS.Win32.VB is a malicious trojan horse that is a security risk for the corrupted computer system and/or its network environment. Trojan-PWS.Win32.VB could be able to capture all user keystrokes such as confidential details: username, password, credit card number, etc.

Alias: Trojan Horse (Symantec) ,  Trojan-PSW.Win32.VB.bba (Kaspersky Lab) ,  PWS:Win32/OnLineGames.GE (Microsoft)

 

2.Technical Details:

 

a. The following files were created in the system:

# Filename(s) File Size
1 %Windir%\System.exe
[file and pathname of the sample #1] 		145,110 bytes
  • Note:
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

 

b. Memory Modifications

  • There was a new process created in the system:

Process Name Process Filename Main Module Size
System.exe %Windir%\system.exe 647,168 bytes

c.  Registry Modifications

    • The following Registry Key was created:
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5D449002-7E59-973B-7B27-5209B6A3E6D3)
    • The newly created Registry Values are:
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5D449002-7E59-973B-7B27-5209B6A3E6D3)]
        • Stubpath = "%Windir%\System.exe"

        so that System.exe runs every time Windows starts
         
      • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
        • Winlogon = "%Windir%\System.exe"

        so that System.exe runs every time Windows starts

    d. Other details

    • The following port was open in the system:

    Port Protocol Process
    1054 TCP System.exe (%Windir%\System.exe)

    • There were registered attempts to establish connection with the remote hosts. The connection details are:

    Remote Host Port Number
    41.237.31.192 100

     

    3. How-to's

    a. How to prevent the  Trojan-PWS.Win32.VB ?

    Please update the policy basic knowledge of Sax2  in time, Once  Ax3soft sax2 detects  the communication of these trojans, it will break them and  ensure your network & business security.

    b. How to Remove the Trojan-PWS.Win32.VB Manually?

    Step 1 : Use Windows Task Manager to Remove Trojan-PWS.Win32.VB Processes

    System.exe

    Step 2 : Use Registry Editor to Remove Trojan-PWS.Win32.VB Registry Values

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5D449002-7E59-973B-7B27-5209B6A3E6D3)]
    Stubpath = "%Windir%\System.exe"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    Winlogon = "%Windir%\System.exe"

    Step3: Detect and Delete Other Trojan-PWS.Win32.VB Files

    %Windir%\System.exe
    [file and pathname of the sample #1]

    c. How to Remove these trojans Instantly?

    Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the  Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

     

    4. Appendix

    For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm

    		•