Virus:Trojan-PSW.Win32.Coced.219

• Technical details
• Payload
• Removal instructions

This Trojan steals user passwords. It is designed to steal a range of confidential information. It is a Windows PE EXE file. It is 11,269 bytes in size. It is written in Visual C++.

Installation

Once launched, the virus copies its executable file to the Windows system directory:

The Trojan also extracts the following file from its body:

The Trojan changes the values of the following system registry keys:

[HKCU\Software\Mirabilis\ICQ\Agent\Apps\ICQ]
"Enable" = "yes"
"Path" = "<path to Trojan executable file>"
"Startup" = ""
"Parameters" = ""

[HKCU\Software\Mirabilis\ICQ\Agent]
"Launch Warning" = "No"

The Trojan harvests the paramenter values of the following registry sub-key:

The Trojan also harvests information about modem connections used by the system to access the Internet. It also harvests passwords using WNetEnumCachedPasswords. The Trojan sends the harvested data to the remote malicious user's email: ***ihvseh@iname.com . The Trojan uses mail.compuserve.com to send outgoing mail.

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Use Task Manager to terminate the Trojan process.
2. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
3. Delete the following system registry key parameters:

   [HKCU\Software\Mirabilis\ICQ\Agent\Apps\ICQ]
   "Enable"="yes"
   "Path"="<path to Trojan executable file>"
   "Startup"=""
   "Parameters"=""

   [HKCU\Software\Mirabilis\ICQ\Agent]
   "Launch Warning"="No"

4. Delete the files created by the Trojan:
   %Temp%\Conf219.exe
   %System%\msrun16.exe
5. Update your antivirus databases and perform a full scan of the computer ( download a trial version of Kaspersky Anti-Virus).