Virus Information

Once executed, the trojan shows an error message (see below) in order to make the user believe it didnt start, but actually it drops the files checkreg.exe, iisload.dll, wslXXXXX.dll in %WINSYS% directory, and installs an entry at the system startup, pointing to one of the dropped files (checkreg.exe).The iisload.dll file is used to inject thewslXXXXX.dll file in EXPLORER.EXE process, so it is a memory resident trojan.Then, the BAT file dropped in %TEMP% folder is executed in order to delete the original file.

<
The error message displayed when the trojan is executed.


The code injected in EXPLORER.EXE gathers the following information about the infected computer:

The operating system (version, build, service pack)
The running processes
The installed programs (those available in "Add/remove Programs" section in control Panel)
The available network adapters (their status, incomming and outgoing bytes, speed and type: Ethernet, PPP, FDDI etc)
The hard-drives directory structure (searching drives from C: to Z: and building the entire structure for fixed drives)

This information is then encrypted and sent to a remote computer.

For disinfection, download and run our free eScan Anti-Virus Toolkit. The utility checks your computer, system registry, and running processes for malicious programs, illegal dialers, and sniffer tools. Note: This tool does not protect your PC in real time.

You can download the eScan Anti-Virus Toolkit utility from the MicroWorld Web site.

Alternatively, you can install MicroWorld’s Internet Security Suite which has real time detection capabilities.
You can download and install the product from our eScan download page.