Virus Profile: Artemis!10A4D2BC47D8

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home N/A | Corporate N/A
Date Discovered: 3/5/2010
Date Added: 3/5/2010
Origin: N/A
Length: Varies
Type: Trojan
Subtype: Win32
DAT Required: 5904
Removal Instructions
   
 
 
   

Description

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

File Properties

  • MD5: 10A4D2BC47D88BACB3E7E3FB841D741B
  • SHA1: 99CBB7FFC04C874A74CC3C3082B1F4EF37C3D739

Aliases

  • Microsoft : ~Trojan:Win32/Rundis.gen!A
  • Kaspersky : Trojan.Win32.Patched.dk
  • Symantec : Trojan Horse
  • DrWeb : Trojan.PWS.Qqpass.1671

Indication of Infection

Presence of above mentioned registry keys

Methods of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

   

Virus Characteristics

Upon execution the Trojan copies itself into the following location.

  • %SysDir%\srvrest.exe
  • %WinDir%\dirsys.exe

The following registry keys have been added to the system:

  • HKEY_LOCAL_MACHINE\SOFTWARE\BiezSoft
  • HKEY_USERS\S-1-(Varies)\ Software\Microsoft\Windows\CurrentVersion\Policies\System

The following registry values have been added to the system.

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
  • "jazz20185"= "%SysDir%\srvrest.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
  • "5u12y41"= "%WinDir%\dirsys.exe"

The above mentioned registry entries shows that the Trojan execute everytime when windows start.

Trojan disables Task Manager, Folder Option, Registry and the command promt by adding the following values to the registry key

  • [HKEY_USERS\S-1-(Varies)\ Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\]
  • "NoFolderOptions"= "0x00000001"
  • [HKEY_USERS\S-1-(Varies)\ Software\Microsoft\Windows\CurrentVersion\Policies\System\]
  • "DisableRegistryTools"="0x00000001"
  • [HKEY_USERS\S-1-(Varies)\ Software\Microsoft\Windows\CurrentVersion\Policies\System\]
  • "DisableTaskMgr"="0x00000001"
  • [HKEY_USERS\S-1-(Varies)\ Software\Microsoft\Windows\CurrentVersion\Policies\System\]
  • "DisableCMD"="0x00000001"

The following registry value has been modified:

[HKEY_USERS\S-1-(Varies)\ Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]

"HideFileExt"=" 0x00000001"

The above mentioned registry value hides the file extension.

[Where %WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)

%SysDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)]

   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95