Mar 12

Trojan.Trafbrush

By admin
Add comments
Virus
 
Name Trojan.Trafbrush
Type Trojan
Affected Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
Risk Level 1: Very Low
Discovered March 7, 2008
Update March 7, 2008 10:03:03 AM
Length 168,316 bytes
Virus Info Trojan.Trafbrush is a Trojan horse that downloads files from remote locations and attempts to access various URLs.
Threat Assessment

Wild

  • Wild Level: Low
  • Number of Infections: 0 - 49
  • Number of Sites: 0 - 2
  • Geographical Distribution: Low
  • Threat Containment: Easy
  • Removal: Easy

Damage

  • Damage Level: Low

Distribution

  • Distribution Level: Low

Writeup By: Chen Yu
Details >Trojan.Trafbrush

To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. For instructions refer to the document: How to make a backup of the Windows registry.

  1. Click Start > Run.
  2. Type regedit
  3. Click OK.

    Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.

  4. Navigate to and delete the following entries:
    • HKEY_CLASSES_ROOT\Brushy.brush.1
    • HKEY_CLASSES_ROOT\Brushy.brush
    • HKEY_CLASSES_ROOT\CLSID\{E157D62A-D8A4-45DF-8E9B-C33D93821BDF}
    • HKEY_CLASSES_ROOT\TypeLib\{F54A0656-1D23-4FC1-883E-E68E4CD29566}
    • HKEY_CLASSES_ROOT\Interface\{5A1F62AE-0E47-4547-8E5C-AC73FE58C9AE}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E157D62A-D8A4-45DF-8E9B-C33D93821BDF
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[SIX RANDOM LETTERS][TWO RANDOM NUMBERS]\”ImagePath” = “%System%\drivers\[SIX RANDOM LETTERS][TWO RANDOM NUMBERS].sys”
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\[SIX RANDOM LETTERS][TWO RANDOM NUMBERS]\”ImagePath” = “%System%\drivers\[SIX RANDOM LETTERS][TWO RANDOM NUMBERS].sys”
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations\”SUCCESS” = “%UserProfile%\Local Settings\Temp\v22.exe”
  5. Exit the Registry Editor.

    Note: If the risk creates or modifies registry subkeys or entries under HKEY_CURRENT_USER, it is possible that it created them for every user on the compromised computer. To ensure that all registry subkeys or entries are removed or restored, log on using each user account and check for any HKEY_CURRENT_USER items listed above.

5. To find and stop the service

  1. Click Start > Run.
  2. Type services.msc, and then click OK.
  3. Locate and select the service that was detected.
  4. Click Action > Properties.
  5. Click Stop.
  6. Change Startup Type to Manual.
  7. Click OK and close the Services window.
  8. Restart the computer.

Writeup By: Chen Yu

Save this article to PDF.

"Free Scan Trojan.Trafbrush

Print This Virus article Print This Virus article

This entry was posted on Wednesday, March 12th, 2008 at 1:36 am and is filed under Virus. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Comment

You must be logged in to post a comment.