Virus:Trojan-Spy.Win32.BZub.jj

Other versions: .ar , .ji

Detection added	May 19 2007 18:55 GMT
Description added	Jun 09 2007
Behavior	TrojanSpy

Technical details
Payload
Removal instructions

Technical details

This Trojan is designed to steal confidential data. It is a Windows PE EXE file. It is 99,032 bytes in size. It is not packed in any way. It is written in Delphi.

Installation

When launched, the Trojan drops a .dll file called "ipv6monl.dll" to the Windows system directory:

%System%\ipv6monl.dll — this file is 67,776 bytes in size, and will be detected by Kaspersky Anti-Virus as Trojan-Spy.Win32.BZub.ji

Payload

When Internet Explorer is launched, the Trojan will be launched automatically. Once launched, the Trojan searches for cached passwords. It also saves passwords entered by the user to a file called "form.txt".

The Trojan also creates a file called "info.txt" and save the following information to this file:

computer name
IP address
operating system
name of user account
data from Outlook

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Close Internet Explorer.
Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
Delete the following file:
%System%\ipv6monl.dll
Update your antivirus databases and perform a full scan of the computer ( download a trial version of Kaspersky Anti-Virus).

HOME