How to Prevent and Remove the Trojan.Win32.Scar.cpkp

Bookmark and Share

 

1. What is the Trojan.Win32.Scar.cpkp

Trojan.Win32.Scar.cpkp is a recent backdoor Trojan program that was first detected in September of 2009.  Backdoor Trojans are one of the most common methods of breaking into user’s machines.  They are able to do so by posing as other programs and by bundling themselves with free software.  Once inside, they have a backdoor component that allows additional malware to enter with the ultimate possibility of completely taking over your system.


Alias: Backdoor:Win32/Isnup.B [Microsoft]

 

2.Technical Details:

 

a. The following files were created in the system:

 

No. Filename Size
1 %System%\msupdt.exe
[file and pathname of the sample #1] 		69,814 bytes
2 %System%\sblog.txt 0 bytes
  • Note:
    • %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

b.  Registry Modifications

    • The following Registry Key was created:
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MsUpdater
    • The newly created Registry Values are:
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MsUpdater]
        • prm1 = 74 DC C9 D9 98 99 99 9F 98 9A 98 9D F7 90 9A EA 9E ED 9A EE 9E
        • prm2 = 2D 98 8C 98 92 87 87 CE DD CB C0 DA C7 C7 DC 86 CB C7 C5 87 DB DC C9 DC 9A 86 D8 C0 D8
        • prm3 = 0x000493E0
      • [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
        • ProxyEnable = 0x00000000

    c. Other details

    • There were registered attempts to establish connection with the remote hosts. The connection details are:

    Remote Host Port Number
    194.8.250.31 80
    • The data identified by the following URLs was then requested from the remote web server:
      • http://wdggtwegww.com/getip.php
      • http://wdggtwegww.com/stat.php

     

    3. How-to's

    a. How to prevent the  Trojan.Win32.Scar.cpkp ?

    Please update the policy basic knowledge of Sax2  in time, Once  Ax3soft sax2 detects  the communication of these trojans, it will break them and  ensure your network & business security.

    b. How to Remove the Trojan.Win32.Scar.cpkp Manually?

    Step 1 : Use Windows Task Manager to Remove Trojan.Win32.Scar.cpkp Processes

    msupdt.exe

    Step 2 : Use Registry Editor to Remove Trojan.Win32.Scar.cpkp Registry Values
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MsUpdater

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MsUpdater]
    prm1 = 74 DC C9 D9 98 99 99 9F 98 9A 98 9D F7 90 9A EA 9E ED 9A EE 9E
    prm2 = 2D 98 8C 98 92 87 87 CE DD CB C0 DA C7 C7 DC 86 CB C7 C5 87 DB DC C9 DC 9A 86 D8 C0 D8
    prm3 = 0x000493E0
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    ProxyEnable = 0x00000000

    Step3: Detect and Delete Other Trojan.Win32.Scar.cpkp Files

    %System%\msupdt.exe
    [file and pathname of the sample #1]
    %System%\sblog.txt

    c. How to Remove these trojans Instantly?

    Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the  Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

     

    4. Appendix

    For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm

    		•