Code: p332 Severity: Warning
Description: Subseven 2.1 Gold is a Trojan Horse offering complete control of the infected host. Impact: Possible theft of data and control of the targeted machine leading to a compromise of all resources the machine is connected to. This Trojan also has the ability to delete data, steal passwords and disable the machine. Other versions are capable of launching DDoS attacks. Corrective: This is a particularly difficult Trojan to remove and should only be
attempted by an experienced Windows Administrator.
Edit the system registry to remove the extra keys or restore a
previously known good copy of the registry.
Affected registry keys are:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
Registry key added:
Winloader
Also affected:
HKEY_CLASSES_ROOT\exefile\shell\open\command
This registry key should be blank, i.e. ""
The registry should also be searched for the entry
HKEY_CLASSES_ROOT\.dl
if this exists it should be deleted.
This Trojan may also be started from the files win.ini and system.ini,
remove the entry run=MSREXE.exe and change the line
shell=Explorer.exe MSREXE.exe to the default value shell=explorer.exe.
Removal of the Trojan is also required, look for the file "MSREXE.exe"
in the
|
