Category Archives: Malware

Trojan Horse Virus

A Trojan Horse, or simply Trojan, is a malware that presents itself as a useful program but actually does extensive damage by allowing unauthorized access to your computer, wreak havoc on your system, and may even erase your hard disk.

How Trojans Work

Trojans are spread over the Internet through a number of ways, such as through emails, chat programs, and the download of files that may actually contain beneficial material but also include concealed Trojans. Once these files are opened or executed, the malicious program is installed on your computer. Thus, the victim of a Trojan attack has to install the server end of the program in order for it to work. And once installed, the program will run automatically every time your computer is turned on.

Also, many Trojans also incorporate a worm that accesses your email addresses and sends them a message with the Trojan attachment. Malicious hackers, also called crackers, can create a network of zombie computers through this worm. This network of zombie computers, also called botnets, can then be used to spread even more Trojans throughout the network. They are called zombies because their users rarely know the computers are infected.

As soon as an infected computer, which is the server in this application, is powered up, Trojan sends it IP Address to the attacker, or client. This allows the attacker to communicate with the infected computer and access its files or even erase them.

Methods of Prevention

The best way to prevent the entrance of a Trojan Horse and keep it from infecting your computer is to avoid opening email attachments or files that have been sent by unknown senders. Deleting them should deal with the problem. Also, be wary of downloading materials from sites that you are not familiar with. If a download appears too good to be true, it probably is.

Yet, not all files are guaranteed to be virus-free. It is therefore important to install and regularly update an antivirus or an anti-spyware program to shield your computer from malicious programs.

For more information on Trojan Horse Virus read:

  • Trojan Horse Virus
  • Trojan Horse Virus
  • Trojan Horse Virus
  • Trojan Horse Virus
  • How to Uninstall Mirar on your Computer

    Getmirar, or better known as Mirar, is a type of Spyware application. Hence, it threatens the stability and security of a device by gaining access to confidential information stored within this type of application. Mirar sends advertisements depending on the type of browser used when searching the Internet.

    This toolbar helps show contextual information for users to see while they are browsing the Web. It then locates similar Web pages that are relevant to the site currently being viewed by the user. This helps monitor the activity of Web surfers and facilitates a more targeted advertising campaign.

    Those who use this particular toolbar aim to increase the productivity of advertising on the Net. Meanwhile, Mirar can also show pop-ups whenever a user opens a Web page. These pop-ups often offer users to download and install Mirar on the toolbar if they do not have it yet.

    A typical behavior of Mirar is one that installs itself automatically as a Web browser add-on. By registering its entry to the System Registry, the Operating System validates the Web browser add-on’s authenticity. If you want to uninstall Mirar, you can follow these procedures:

    1. Open the “Control Panel”. Then, click on the Control Panel icon to launch the Internet Explorer window.
    2. Double-click the Add or Remove program option, which is shown on the Control Panel window, to make an applet appear on-screen. This will then provide a list of programs running on your machine.
    3. Choose Mirar from the list and then click the Change/Remove button to start the uninstallation process for the Mirar.
    4. Follow whatever is prompted until the browser is launched. This will enable you to validate the removal of the Mirar. To ensure that all files and registry entries that are linked to Mirar are properly removed, you might want to conduct a full system scan using a reliable anti-Malware program.
    5. You can visit the SpyHunter website so you can download and install the free Mirar scanner. However, you need to remember that this tool will only detect Mirar on your machine. You will need to purchase the Spyware removal tool to fully get rid of the Spyware application.

    Zlob

    Zlob Trojan is a type of Trojan Horse program that disguises itself as a required video codec in the form of ActiveX. It primarily affects the Windows operating system.

    It is also known by many aliases, such as:

    • Troj/Zlob-XA
    • Trojan.Zlob
    • Zlob-XA
    • Troj/Zlob-QJ
    • Zlob-X.a

    This Trojan Horse is activated once it has initiated itself into a computer file and installed from remote locations.

    Once installed, this virus displays popup ads similar to the actual Microsoft Windows warning popups, notifying computer users that their system is infected. Clicking this popup ad would trigger the entry of malicious codes into the system processes and the download of a fake anti-spyware program which contains the hidden Zlob Trojan virus.

    Variants Of Zlob

    Currently, there are around 32 variants of this type of Trojan. They are frequently spread through fake video streaming sites, which notify computer users that they have to install a codec to view the non-existent videos. This codec installer is nothing more than a Zlob Trojan downloader.

    Some variants of the Zlob family such as the DNSChanger attach rogue DNS name servers to the Registry of computers that is Windows-based and the network settings of Macintosh computers. This results to the potential re-routing of traffic from legitimate web sites to other suspicious web sites.

    Other common variants of the virus Zlob includes:

    • TROJ_ZLOB {DR, DU, and FP}
    • Trojan.Zlob.D
    • Troj/Zlob-CD
    • Downloader-XC
    • Downloader.Win32.Zlob
    • {dz, ha, he}
    • Generic Downloader.gen.bd
    • Puper

    Effects Of Zlob

    The Zlob Trojan is capable of downloading atnvrsinstall.exe, which utilizes the Windows Security shield icon to disguise itself as an Anti Virus installation file from Microsoft.

    Once this file is activated, it can wreak havoc on different computer networks
    It can:

    • cause random computer reboots or shutdowns with random comments.
    • cause the modification of data on the computer,
    • steal information,
    • delete of files off the computer,
    • download codes from the Internet, causing malware,
    • install itself into the registry
    • modify the startup or registry file to be executed during boot up.

    It can also download and install several rogue or fake anti-spyware programs such as AntiVirGear, SecurePCCleaner, IEDefender, WinAntiVirus Pro 2007, Ultimate Cleaner and SpyShredder.

    If left untreated, Zlob could be highly dangerous.

    Zlob Manual Removal Instructions

    Removing Zlob is similar to removing any other Trojans. You have to remember that a Trojan can infect and corrupt computers, but not the files itself. So it can be easily recognized and removed.

    You can manually remove Zlob by performing the following steps:

    1. To locate Zlob Path, use Windows File Search Tool. To accomplish this, follow these steps:
      • Click the Start menu
      • Click Search
      • Click All Files or Folders
      • In the “All or part of the file name:” section, key in Zlob
      • In the “Look in:” section, select “My Computer” or “Local Hard Drives” to get better results
      • Press the Search button
      • When the Search is finished, look over the In Folder for Zlob then highlight the file and copy/paste the path into the address bar
      • Save the path of the file in the clipboard because you will need the file path to delete Zlob.

    2. To Remove Zlob Processes, use Windows Task Manager. To accomplish this, follow these steps:
      • Open the Windows Task Manager by using the following combination:
      • CTRL+ALT+DEL

        CTRL+SHIFT+ESC

      • Click the Image Name button to search for the Zlob process by name
      • Choose the Zlob process
      • Press the End Process button to kill it
      • Remove the Zlob processes files:
      • msmsgs.exe

        nvctrl.exe

    3. To Remove Zlob Registry Values, use Registry Editor. Follow these steps:
      • Select the Run option from the Start menu.
      • In the pop up box, type regedit then Click OK
      • Search and delete the entry(s) whose data value located in the rightmost column is the malicious file(s) detected earlier
      • To remove the Zlob value, right-click on the Zlob value then select the Delete option
      • Search and delete the Zlob registry entries:
      • HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunRegSvr32=%System%msmsgs.exe

        HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsNTCurrentVersionWinlogonShell=explorer.exe

    4. Use Windows Command Prompt to unregister Zlob DLL Files. To accomplish this, follow these steps:
      • From the Start menu, select the Run option
      • In the pop up box, type cmd then Click OK
      • Type cd to modify the current directory then click the Space button
      • Key in the full path to where the Zlob DLL file is located
      • Press the Enter button
      • Use the dir command if you don’t know where the Zlob DLL file is located. This will display the directory’s contents.
      • To Unregister the Zlob DLL file, key in the exact directory path + regsvr32 /u + DLL_NAME
      • You may type: C:\Spyware-folder\> regsvr32 /u Zlob.dll
      • Click the Enter button
      • Wait for a message to pop up that states that you have successfully unregistered the file
      • Locate and Unregister the following Zlob DLL files:
      • uimcu.dll

        antzozc.dll

        dtjby.dll

    5. How to spot and delete other Zlob files
      • Select the Run option from the Start menu.
      • Type cmd then Click OK in the pop up box.
      • Key in dir /A name_of_the_folder. This would display the folder’s content together with the hidden files.
      • i.e. C:\Spyware-folder

      • Change the directory by typing cd name_of_the_folder
      • Once the file has appeared, key in del name_of_the_file
      • Type in del name_of_the_file to delete a file in folder
      • Type in rmdir /S name_of_the_folder to delete the entire folder
      • Choose the Zlob process
      • Press the End Process button to terminate it
      • Delete the following Zlob processes files:
      • uimcu.dll

        antzozc.dll

        dtjby.dll

        dumpserv.com

        zxserv0.com

    You can also install antivirus, anti-spyware and other malware removal tools to automatically detect and remove not only this virus but also any other kind of malware.

    Combofix

    Combofix is a software tool used in cleaning a set of malicious applications in the computer. It enables users to remove infections brought about by harmful software such as viruses. Combofix also allows users to detect infections not found by other scanners. Combofix attempts to automatically clean them.

    Combofix can also list down System Registry keys. This feature lets users identify areas where suspected malicious programs are hiding. Another unique feature of Combofix is its rootkit detector. This allows users to see if rootkits are present in their computers.

    Combofix provides information in the form of a log after performing its scan. This log helps experienced users in detecting and getting rid of infections that cannot be automatically removed.

    Users need to install the Windows Recovery Console before using Combofix. This application lets the PC start in a special recovery mode in case it encounters a problem after trying to remove a certain malicious program. Users can install Combofix afterwards.

    Next, users have to disable their anti-virus and anti-spyware programs. Users can then start Combofix once these procedures have been done. They should not click on any part of its user interface right after this. Users may leave the PC for a while since Combofix may take several minutes to complete. Users may notice that their computers get disconnected from the Internet during a system scan. This is a normal part of the process. A log will be shown on the screen after system scan completion.

    sUBs developed Combofix. One can download a copy of Combofix through the following URLs: BleepingComputer.com, ForoSpyware.com, and GeeksTogo.com.

    Additional Reading on ComboFix

    Adware

    Advertising-supported software (adware) includes any software application that automatically displays or downloads advertising banners while the program runs. This occurs after software installation or while the application is operating.

    The advertisements are displayed through a bar or pop-up window that appears on the screen. The authors of the software include codes that prompt the delivery of the ads during software operation. Adware developers justify this by stating that these applications recover program development cost, thus keeping the cost low for the consumer.

    Adware usually includes codes that tracks personal information and passes on that data to third parties, without the knowledge or authorization of the user. Some adware is also spyware, also called privacy-invasive software. Spyware has prompted protests from the Electronic Privacy Information Center (EPIC), and other privacy and security advocates.

    Users may inadvertently download adware or spyware and may not know of it until advertisements pop up on their computers.

    To avoid adware, users should not click on the pop-up ads. They should close the pop-up bar by using the task bar. This is done by right-clicking on the task bar entry, thus avoiding contact with the pop-up. E-mails with attachments should also be deleted, especially those from unknown people.

    To keep your computer adware/spyware-free, you can use adware removal software. Adware/spyware uninstall software is easily available on the Internet. Users can usually get a free scan to diagnose infection.

    Programs to detect and remove spyware have been developed. Many different examples of adware detection programs have also been created to detect and remove various adware applications. Programs such as Ad-Aware and Spybot-Search and Destroy are designed specially for spyware and not virus detection, though some antivirus software can detect both, or have a distinct spyware detection application.

    spooldr.sys

    Spooldr.sys is a harmful file that can cause problems in the stable processes in Microsoft Windows Operating Systems. The file spooldr.sys has been classified as a rootkit; hence, it can gather information from the computer and remain undetected. Spooldr.sys uses the malware application known as Trojan.packed.13. This is a malicious program that can disguise itself as a useful software program.

    How does spooldr.sys work? This file is included in the Trojan.packed.13 malware, which comes from spam email. The spam email convinces the user to visit a particular website. Once the user visits the site, it will execute a Java script routine with an embedded process. This process causes a WMP vulnerability in the computer’s system.

    The vulnerability is then exploited through the installation of an applet application. This application has the ability to drop itself in the System folder of Windows. This application also has the capability to set up a kernel driver which is the spooldr.sys file. The file spooldr.sys then executes another application to finalize the deployment of the malware.

    There are a number of ways to detect a spooldr.sys infection. Checking the folders where spooldr.sys normally copies itself is the first way of doing so. The user can check C:\Windows\System32\ and see if the said file is within the folder. He can also check other folders such as those within Windows and Program Files. Apart from this, frequent system crashes, slow performance, and a slow Internet connection are other indications of a spooldr.sys infection.

    Spooldr.sys infections can be avoided through a few steps. The user should never open spam email and visit the links found within the said type of messages. He should also install an anti-virus program and regularly update his Windows security features.

    SMITFRAUD

    SmitFraud is a kind of fake spyware with a malicious intent to trick users to purchase its bogus anti-virus program. This malware (malicious spyware) is a carrier of error prompts that disturbs the display screen by giving warnings about the presence of multiple, serious infections in the computer system.

    How it Finds its Way to Your Computer

    SmitFraud’s way of contaminating your computer is intractable. SmitFraud will install itself into the computer without any notice to the user. This Trojan is mostly distributed along with a codec name. A codec is a program used to reduce large movie files so the computer can easily play them. SmitFraud infects the computer by disguising itself as a codec download.

    Detecting the Infection

    It plays a trick on the settings especially the display. Sometimes, it says the system cannot function well because it is infected. Some users will scan with the first spyware tool that pops up, and it is usually this adware that installs SmitFraud. Picking this adware will then cause more problems in the whole system.

    Once it is installed in the computer, this malware will begin to show pop-ups and issue alarms that the system has many errors. It may show as a blinking page above the page you are browsing, and cannot be easily closed or exited. The pop-ups will show a long list of infections it has supposedly found. In addition to that, this blinking page will be persistent in urging the user to purchase the anti-virus program it offers.

    What You’re Getting

    The price can range from $15 for the “basic version” and costs more for the “advanced version”. SmitFraud promises to clear the computer of the worms, Trojans, and other viruses that make the system crawl. When you detect something like this in your computer, remove it immediately. It is recommended to run the computer system with a full scan using a reliable anti-spyware.

    The Affected Operating Systems

    SmitFraud is known to affect almost all the newer versions of Windows. It includes Windows 95, 98, ME, NT, 2000, 2003, and XP. It can cause a serious breach on the security of the computer. It especially affects the WININET.DLL file and by tampering the .dll file, it can access any page that you have visited in the Internet.

    Related Articles on SmitFraud

    Worm Virus

    A computer worm is a computer program with the capacity to replicate itself and spread across a network using the e-mail address found on the computer or other mass-mailing techniques. It can also infect other networks via the Internet’s security holes.

    The Difference Between a Worm and a Virus

    A computer worm can run itself by sending copies of itself to other computer terminals on the network without attaching to an existing program or through any form of user intervention. A computer virus, however, requires a host program to run and its code operates as part of the host program.

    Computer worms almost always cause damage to the computer network by consuming its bandwidth (the transmission capacity), while computer viruses almost always corrupt and then alter files on a targeted computer.

    Payloads

    Payloads are codes developed not just to spread the worm, but to enable it to send documents via e-mail, delete files on a host system, or encrypt files in a cryptoviral extortion attack.

    Many computer worms have been originally designed to spread but not to modify the systems they pass through. However, with the introduction of new worms such as Morris worm and Mydoom, network traffic and other accidental effects can frequently cause major disruption to the system.

    A very familiar payload for computer worms is to install a backdoor in the corrupted computer. This facilitates the formation of a zombie under the control of the worm author. Examples of computer worms that cause the creation of zombies are Mydoom and Sobig worms.

    These backdoors can be exploited by other malicious software. For example, the malware Doomjuice can spread using the backdoor created by the Mydoom worm.

    Famous Examples of the Computer Worm

    The following are examples of famous computer worms and their specific descriptions:

    1. The Internet worm or Morris worm was the first worm to be disseminated through the Internet and the first to achieve important mainstream media attention.

    It was unleashed by accident on the Internet by Robert Tappan Morris in 1988. It was originally created not to cause damage but to estimate the size of the Internet. However, an unintended outcome of the code caused it to be more destructive.

    A computer network can be corrupted multiple times with each added process causing the slow down of the machine. Eventually, it will make the computer unusable.

    2. The Sobig Worm is a computer worm that first appeared in August 2003. Since then, it has corrupted millions of Microsoft Windows computers connected to the Internet.

    As a worm, it can replicate by itself. It also has some features similar to a Trojan virus because it disguises itself as electronic mail.

    It has six variants but the most widespread and well-known is its Sobig.F variant.

    3. Mydoom is a computer worm affecting Microsoft Windows. It is also known as Novarg, Shimgapi, W32.MyDoom@mm, and Mimail.R.

    It was considered the fastest-spreading e-mail worm as of January 2004, beating the record set by the Sobig worm. It was first viewed on January 26, 2004.

    Mydoom worms all spread through e-mail containing the text message “Andy; I’m just doing my job, nothing personal, sorry”. It was believed that the creator of the worm was paid to develop it. The actual creator however is unknown.

    It shares some features similar to a Trojan virus by attracting a computer user to open an infected e-mail attachment.

    4. The Blaster Worm is a computer worm also known as Lovsan or Lovesan. It spreads on computer networks running the Windows 2000 and Windows XP Operating Systems. It was first sighted in August 2003.

    This worm contains two messages concealed in strings. The first contains the message “I just want to say Love You San” thus giving the name Lovesan worm. The second message was intended for Bill Gates, the target of the worm. The message states “Billy Gates why do you make this possible? Stop making money and fix your software”

    Protection Against Dangerous Computer Worms

    Many computer worms such as the Blaster worm can spread by exploiting the vulnerabilities of the computer network. The latter can be best protected by keeping up-to-date installing patches provided by application vendors and Operating Systems.

    The user can protect his computer against worms that spread similar to a Trojan virus by not opening attachments in the email sent by unknown senders. These corrupted attachments are not restricted to .exe files because Microsoft Excel and Word files can also contain macros that can spread infection.

    Installing anti-spyware and anti-virus software is also very helpful. However, it must be kept up-to-date with the latest pattern files to ensure optimum effect.

    Trojan.Adclicker

    Trojan.Adclicker is a common type of Trojan virus. It was developed to artificially produce traffic to certain websites on the Internet. Trojan Adclicker works by sending HTTP (Hypertext Transfer Protocol) requests that will produce pop-up banner advertisements, inflate Web counter statistics, and embed banner ads in the Web page.

    Trojan.Adclicker is also known as:

    • TROJ_VB.SR;
    • Adware.Hiu.c;
    • Trojan-Clicker.Win32.VB.nd;
    • AdWare.Win32.Agent.ak;
    • W32/Adclicker.IM;
    • AdWare.Win32.Age; and
    • Trojan.Adclicker Variants.

    Before discussing how to remove Trojan.Adclicker from your system, it is best to know first the different variants of this virus. This will help you understand better how to remove them. The following are the kinds of Trojan.Adclicker:

    TROJ_ADCLICKE.AH – It exhibits fake error messages to allow unsuspecting computer users to connect to various advertising websites.

    TROJ_ADCLICKE.GH. – Every time Internet Explorer runs, this variant of Trojan.Adclicker registers itself into the system as a Browser Helper Object (BHO) to confirm automatic execution.

    TROJ_ADCLICKE.AX. – Every time Internet Explorer runs, it registers itself as a Component Object Model (COM) to ensure it is loaded into the memory. It usually appears as a file dropped by other malware.

    TROJ_ADCLICKE.BL. – It is either dropped by other malware or downloaded from the Internet. It has the capacity to display a fake pop-up message warning the computer user that his system is infected by malicious software. When the unsuspecting user clicks the message, it will be redirected to a website where malware will be possibly installed and downloaded.

    TROJ_ADCLICKE.AD. – It appears either as a file manually downloaded from the Internet or as a part of another malware’s installation package.

    TROJ_ADCLICKE.AF. – It is a memory-resident Trojan that registers itself onto the system as a service using several display names to prevent easy detection. It is either downloaded from malicious websites or dropped by other malware programs.

    TROJ_ADCLICKE.AG. – It was developed to detect an Internet connection. Once it finds one, it tries to download a possibly malicious file.

    TROJ_ADCLICKE.CI. – It is a Dynamic Link Library (DLL) component appearing as part of another malware’s installation package. It is used by other malicious software applications to access certain remote sites.

    What’s Your Action Against It

    When you’re using a Windows XP based computer infected with a Trojan.Adclicker, you can detect and eliminate this malware by performing the following steps:

    1. Open Windows Task Manager.
    2. Search for an active system process or a background process relevant to the Trojan.Adclicker.
    3. Choose the potential file variants of Trojan.Adclicker then right-click it.
    4. Click the End Process option.
    5. Perform a functional registry scan using a good registry scanning program.
    6. List down all potential registry entries associated with the Trojan.Adclicker variants.
    7. Click the Windows key plus R then type in regedit.
    8. Remove the registry entries found on your list by deleting them. Make sure you have a back up registry before you perform this to prevent system crashes.
    9. Save your modifications on the registry then close the Registry Editor.
    10. Search for the Dynamic Link Libraries (DLLs) connected with the registry entries along with the Trojan.Adclicker variants.
    11. Un-register the Dynamic Link Libraries (DLLs) linked with the Trojan.Adclicker variants.
    12. Open the Control Panel.
    13. Press the Add/Remove Programs icon.
    14. Scan the program listings to determine any installed application responsible for the operation of the Trojan.Adclicker variants.
    15. Press the Uninstall option.