Threat Information for "Trojan.DownLoader.6988"

Removal Top

StopSign will automatically remove this infection with a paid membership.

Summary Top
  • Name: Trojan.DownLoader.6988
  • Aliases:TrojanDownloader.Win32.CWS.C3F3, Adware/CWS.Yexe, W32/CWS.BH, Krepper (threat-c), Win32/TrojanDownloader.CWS, W32/ARQ.S!tr.dldr
  • Date Discovered: 2006-07-26
  • Protection Added: 2006-08-15
Description Top 
-- Ease of Removal

1: Uses running processes
2: Runs as a BHO or shell extension
3: Runs as a service
4: Consistent file contents
5: Consistently named
6: Creates new registry entries with consistent data

-- Privacy Risks/Security Changes

1: Changes internet security settings
2: Downloads other threats

-- Damage/Intrusion/Annoyance

1: Downloads other threats
2: Autoruns at startup without an option to be disabled

-- Propagation/Saturation

1: Infects through Peer-2-Peer Software
2: Mimics legitimate file names
Technical Details Top
  • Added Directory/File:
    FilePath: %WINDIR%\inet200??\alg.exe.bak
  • Added Directory/File:
    FilePath: %WINDIR%\inet200??
  • Added Directory/File:
    FilePath: %WINDIR%\inet200??\mm.pid
  • Added Directory/File:
    FilePath: %WINDIR%\inet200??\tmp.req
  • Added Directory/File:
    FilePath: %WINDIR%\inet200??\??????????.in
  • Added Directory/File:
    FilePath: %WINDIR%\OEM.exe
  • Added Directory/File:
    FilePath: %WINDIR%\inet200??\killer.exe
  • Added Directory/File:
    FilePath: %USERDIR%\1.txt
  • Added Directory/File:
    FilePath: %WINDIR%\inet200??\services.exe
  • Added Directory/File:
    FilePath: %WINDIR%\inet200??\mm5.exe.bak
  • Added Directory/File:
    FilePath: %WINDIR%\inet200??\3.03.00.dll
  • Added Directory/File:
    FilePath: %WINDIR%\inet200??\mm5.exe
  • Added Directory/File:
    FilePath: %WINDIR%\inet200??\killer.exe.bak
  • Added Directory/File:
    FilePath: %WINDIR%\inet200??\??????????.bat
  • Added Directory/File:
    FilePath: %WINDIR%\inet200??\1.txt
  • Added Directory/File:
    FilePath: %WINDIR%\inet200??\alg.exe
  • Added Directory/File:
    FilePath: %WINDIR%\OEM.exe.bak
  • Added Directory/File:
    FilePath: %WINDIR%\inet200??\socks.exe
  • Added Directory/File:
    FilePath: %USERDIR%\tmp.req
  • Added Directory/File:
    FilePath: %WINDIR%\inet200??\winlogon.exe
  • Added Registry Key:
    Key: HKLM\Software\CLASSES\Replace.HBO
  • Added Registry Key:
    Key: HKLM\Software\CLASSES\CLSID\{5321E378-FFAD-4999-8C62-03CA8155F0B3}
  • Added Registry Key:
    Key: HKLM\%BHOREG%\{5321E378-FFAD-4999-8C62-03CA8155F0B3}
  • Added Registry Key:
    Key: HKLM\Software\CLASSES\Replace.HBO.1
  • Added Registry Value:
    Key: HKU\.DEFAULT\%CURRENTVERSIONREG%\Run Value: xp_system
  • Added Registry Value:
    Key: HKLM\%CURRENTVERSIONREG%\Run Value: xp_system
  • Added Registry Value:
    Key: HKLM\%CURRENTVERSIONREG%\Run Value: Microsoft standard protector
  • Added Registry Value:
    Key: HKCU\%CURRENTVERSIONREG%\Run Value: xp_system