Virus:Trojan-PSW.Win32.Coced.220

Other versions: .215 , .219 , .219.b

Aliases
Trojan-PSW.Win32.Coced.220  ( Kaspersky Lab ) is also known as: Trojan.PSW.Coced.220 ( Kaspersky Lab ), IRC/Pws.gen ( McAfee ),   Trojan Horse ( Symantec ),   Trojan.PWS.Coced.220 ( Doctor Web ),   Troj/Naebi-220 ( Sophos ),   PWS:Win32/Coced.2_20 ( RAV ),   TROJ_PSW.COCED.A ( Trend Micro ),   TR/Coced ( H+BEDV ),   W32/Trojan.Coced.220 ( FRISK ),   Win32:Trojan-gen. ( ALWIL ),   Trojan.Coced.220 ( SOFTWIN ),   Trojan.PSW.Coced.220 ( ClamAV ),   Trj/Coced.220 ( Panda )
Description added Jun 18 2007
Behavior PSW Trojan
Technical details

This Trojan is one of a family of Trojans which steals user passwords. It is designed to steal confidential data. It is a Windows PE EXE file. The file is 12,295 bytes in size. It is written in Visual C++.

Installation

Once launched, the Trojan copies its executable file to the Windows system directory:

%System%\mswinrun.exe

The Trojan also extracts the following file from its body:

%Temp%\Naebi220.exe
Payload

The Trojan changes the values of the following system registry keys:

[HKCU\Software\Mirabilis\ICQ\Agent\Apps\Run]
"Enable" = "yes"
"Path" = "<path to Trojan executable file>"
"Startup" = ""
"Parameters" = ""

[HKCU\Software\Mirabilis\ICQ\Agent]
"Launch Warning" = "No"

The Trojan harvests the paramenter values of the following registry sub-key:

[HKCU\Software\Mirabilis\ICQ\Owners]

The Trojan also harvests information about modem connections used by the system to access the Internet. It also harvests passwords to the modem connections by using WNetEnumCachedPasswords.

If CuteFTP is installed on the victim machine, the Trojan will harvest the contents of the following file:

C:\Program Files\CuteFtp\Tree.dat

The Trojan sends harvested data to the remote malicious user's email address. The Trojan uses mail.computer.com to send outgoing messages.

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Use Task Manager to terminate the Trojan process.
  2. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
  3. Delete the following files:
    %Temp%\Naebi220.exe
    %System%\mswinrun.exe
  4. Restore the original registry key values:
    [HKCU\Software\Mirabilis\ICQ\Agent\Apps\Run] [HKCU\Software\Mirabilis\ICQ\Agent] [HKCU\Software\Mirabilis\ICQ\Owners]
  5. Update your antivirus databases and perform a full scan of the computer ( download a trial version of Kaspersky Anti-Virus).
HOME