HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Symmi.19271 (B) (Emsisoft), Gen:Variant.Symmi.19271 (AdAware), Trojan-Downloader.Win32.Torcohost.FD, Trojan-PSW.Win32.Zbot.6.FD, Trojan.Win32.Swrort.3.FD, BackdoorCaphawQKKBAL.YR, GenericInjector.YR, GenericIRCBot.YR, TrojanPSWZbot.YR, PUPTorClient.YR (Lavasoft MAS) Behaviour: Trojan-Downloader, Trojan-PSW, Trojan, Backdoor, PUP, IRCBot The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information. Requires JavaScript enabled! MD5: bd4be8edfd122a71ba3fbf SHA1: 6072638ae63bdf75baa0 SHA256: 518e277a92e3d39b0ff39d1be121169bab483b59b6fff95b05195e61a6dcf192 SSDeep: 49152:U0yWSt3fvIYC0q1LkYJMcdoAO/QaqkcnGIhSp4R62PHN:UhF4ZkYCAO/IHhSp4/Pt Size: 3784704 bytes File type: EXE Platform: WIN32 Entropy: Not Packed PEID: MicrosoftVisualCv71EXE, MicrosoftVisualCv70, UPolyXv05v6 Company: no certificate found Created at: 2010-11-13 01:18:10 Analyzed on: WindowsXP SP3 32-bit Summary: Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them. Payload Behaviour Description IRCBot A bot can communicate with command and control servers via IRC channel. Process activity The Trojan creates the following process(es):%original file name%.exe:1676 icoka.exe:336 The Trojan injects its code into the following process(es): iexplore.exe:1940 iexplore.exe:252 Explorer.EXE:888 Mutexes The following mutexes were created/opened: No objects were found.

File activity No files have been created. Registry activity The process%original file name%.exe:1676 makes changes in the system registry. The Trojan creates and/or sets the following values in system registry: HKLM SOFTWARE Microsoft Cryptography RNG 'Seed' = 'D4 A7 25 31 C7 16 54 2A 37 AE 13 5C 3C 33 B4 9F' The process icoka.exe:336 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry: HKLM SOFTWARE Microsoft Cryptography RNG 'Seed' = 'B7 1C 91 CB A4 25 75 3A 25 86 FB 20 42 11 E5 D8' Dropped PE files MD5 File path 7325091fd24d4049de5034 c: Documents and Settings '%CurrentUserName%' Application Data Tayb icoka.exe 9b39e0c4247a9f607b936b c: Documents and Settings '%CurrentUserName%' Local Settings Temp OpenCL.dll HOSTS file anomalies No changes have been detected.

Overview Infected with a virus? Unsure whether your existing antivirus software has detected and removed it? Still having problems and unsure where to turn to next? Sophos Virus Removal Tool can help.

Sophos 8 0 1c Stalled Labor

Using cutting edge technology found in our enterprise-grade software, this powerful tool detects all types of malicious software on your computer—including viruses, spyware, rootkits and Conficker—and returns it to a working state. The tool has direct access to virus data from SophosLabs, our global network of threat researchers, ensuring that even the very latest viruses are detected and removed. And it works alongside your existing antivirus.

For full details of how to use the tool, refer to the article Here’s how. Download the tool, run the program and put the Virus Removal Tool on your desktop. Double click Sophos Virus Removal Tool and then click the Start scanning button.

The tool scans your computer and removes any viruses it finds. You’re done What it does With more than 100 million global users our Sophos Virus Removal Tool includes the same great security features available in our Sophos Enduser Protection solution:. User memory scanning and cleaning. Kernel memory scanning and cleaning. File scanning.