PDA

View Full Version : Internet Explorer Trojan Virus


caleb_yee
28-08-03, 17:21
Trojan.Gaslide is a Trojan Horse that attempts to modify the settings in the Internet Explorer Web browser.

When Trojan.Gaslide is executed, it does the following:

Copies itself as C:\Cdrunxp.exe and C:\Mscomctl.vxd.

Drops the following files in the root of the C drive:
Gsupx.exe: A UPX-packed version of UPX packer. This file is not malicious, so Symantec antivirus products do not detect it.
Notepad32.exe: A UPX-packed version of Notepad. This file is not malicious, so Symantec antivirus products do not detect it.
Notepad.exe: A Microsoft Visual Basic Program that modifies the registry. This file is detected as Trojan.Gaslide.
NLoad.vxd: A UPX-packed version of Notepad. This file is not malicious, so Symantec antivirus products do not detect it.
Helpctl.exe: A Microsoft Visual Basic Program that modifies the registry and loads the Trojan. This file is detected as Trojan.Gaslide.
Iexplorer.exe: This file modifies settings in the Internet Explorer Web browser.

Modifies the default value of the following registry key:

HKEY_CLASS_ROOT\exefile\shell\open\command

This causes the Trojan to execute every time that an .exe file is executed.

Adds the values:

"<path>\helpctl.exe" = "<path>\helpctl.exe"
"slide" = "Iexplore.exe"

to the registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run

Modifies the default value of the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run\Start Page

so that the Internet Explorer home page is changed to one specified in the Trojan.

Systems which is vurnerable,the windows family.
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

What to do....
Disable System Restore (Windows Me/XP).
Update the virus definitions.
Run a full system scan and delete all the files detected as Trojan.Gaslide.
Reverse the changes that were made to the registry.