January 24, 2011

TROJ_GAMETHI.FMS

This is a Trojan Horse that will come in disguise of the users. Trojans are usually downloaded from the Internet and installed by unsuspecting users with or without their consent.Trojans typically carry payloads or other malicious actions that can range from the mildly annoying to the irreparably destructive. They may also modify system settings to automatically start. Restoring affected systems may require procedures other than scanning with an anti-virus program.

This comes in a combination of malware when there is an exploit HTML_SHELLCOD.SM. It brings 8 infections out of which Troj_GAMETHI.FMS is one of them. 


Effects:
This trojan drops copies of itself in system32 folder with a name
  • fqtkz.exe
It creates the following registry keys 
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\Internet Explorer\Main
    TabProcGrowth = "0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows\CURRENTVERSION\URL
    SystemMgr = "Del"
Removal:

1) Disable system restore.
2) Use Process explorer tool to find the processes that are related to the Trojan.
3) If the detected file is displayed in either Windows Task Manager or Process Explorer but you cannot delete it, restart your computer in safe mode.
Search and delete the registry keys

  • In HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\
    Internet Explorer\Main
    • TabProcGrowth = "0"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\
    Windows\CURRENTVERSION\URL
    • SystemMgr = "Del"
     
Delete the files that are dropped by the trojan in the system 32 folder. Uncheck Hide protected operating system files in Folders Option>View tab, and then check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result as the trojan may apply the hidden attributes to the files it dropped.

0 comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...

Search This Blog

Followers

Categories

Twitter Delicious Facebook Digg Stumbleupon Favorites More