Anti-Virus Leader ViRobot

Trojan.Win32.Inject.46592.BN

Aliases
Typical Symptoms	Information leak
Discovered	[korea] 2009-05-23 [Foreign] 0000-00-00
Type	Trojan Horse	ActiveField	Win32
Destory/Distribution
Origin	others	Encryption	NO
Location	None	Memory residence	NO
Scan engine needed	2009-05-23 [Able to detect & repair]

[Summary]

By injecting to explorer.exe, it steals user account.

[Symptom of Infection]

1. It creates files to below path.
(System Folder) \(Random 3 digits)ab.exe (Trojan.Win32.Inject.46592.BN)

2. By modifying registry, it is executed on system reboot.

3. By injecting to explorer.exe, it steals user account.

[Notation]
-"(System Folder)" could be different by system and generally this is C:\Windows\System(Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), C:\Windows\System32 (Windows XP).

[How to repair]

1. If you are WinXP/ME users, please be inactivate System Recovery Function.
The reason why being inactivate of the system recovery is to clean the virus completely.
You can refer to MS technical documents(Q263455) for more details.

2. Update the engine module for the latest one.
To repair this virus, you need to update the engine for the latest one.

a. ViRobot products users
     -Download the latest engine files via our website (www.hauri.net)

b. Non-ViRobot products users

     - Use the LiveCall (Free Scan) via the website (http://www.livecall.co.kr)
     - Use the trial version of ViRobot products (30days only)

3. How to scan the virus.

a. Run your ViRobot, and choose "all files" in scan option.

- ViRobot Expert 4.0 : [Edit] -> [Configuration] -> [Scan] : Check all files
- ViRobot Desktop 5.0 : [Tools] -> [Configuration] -> [Virus Scan] : Check all files

- ViRobot Desktop 5.5 : [Tools] -> [Configuration] -> [Virus Scan] : Check all files

- LiveCall (Free Scan) : [Advanced Scan] : Check

b. Repair all viruses detected.

c. If [Auto-repair after rebooting] message shows up, please try to re-scan after rebooting the PC.

Copyright 2008 @ HAURI Inc. All rights reserved.