Details
Trojan.Win32.Lovadot.d

This Trojan program is written in VB5, and compiled as a PCode application, about 46KB in size, which usually enters the system as a file named “movie.exe”.
When run, it will first attempt to make a copy of itself in “c:\windows\system\sysgo.exe”, and will also create a batch file named “c:\sysgo.bat”, which is supposed to keep making copies of the “sysgo.exe” instance in the Windows (9X) startup directory, so it will get executed every time the system is started. If the operating system is not Windows 95, 98 or ME, the Trojan installation routines will fail, and the Trojan will not be executed with every system reboot.
The Trojan also inserts a line stating “sysgo” in “c:\autoexec.bat”, and when everything is finished, a file named “pawn.dat” is dumped in the current directory, which contains a single word, “Done”. The active Trojan part does not attempt to listen to any ports, and has no backdoors inside. However, if an Internet connection is available, depending on several conditions, it will connect to the “www.loveadot.com” server, and perform a series of tasks.
The main purpose of these tasks seems to be looking through a search engine for pages belonging to or containing the keyword “kcsmith”, and then to find AD (”Advertising”) pop-ups in those pages, and do the equivalent of “clicking” them.
We assume that “kcsmith” has setup a certain amount of “Pay on click” pages, and is using the Trojan to make money from unsuspecting users.
Another routine in the Trojan will read the value stored in the “http://www.loveadot.com/server.txt”, add it into an internal list, then the Trojan will connect to the “www.loveadot.com” server and will try to access a certain page sending the IP address as a parameter. The respective page is either no longer available, or was has not yet been uploaded. The Trojan will also attempt to access the server having the address specified in the “server.txt” file, and send various data to it. At this time, the address from “server.txt” belongs to a machine located in the US, and seems to be down.

Details
Trojan.Win32.Krotten.n
This Trojan is a Windows PE EXE file and is 53947 bytes in size. The Trojan appears to be a illegal program which can be used to generate codes to top up mobile phone accounts. However, if the user launches the file, the result is that it will be impossible to use the full resources of theall

Details
Trojan.Win32.KillDisk.f

This Trojan is extremely dangerous. It installs itself on the system as a driver, and starting from 27th April it will delete data from the hard disk.
In systems running Windows 9x, the Trojan installs itself as the driver
MSGBS1.VXD
In systems running Windows NT/2000/XP and all subsequent versions, it installs itself as the driver
ACPI89.SYS
The Trojan also creates the following two files:
C:\Program Files\Internet Explorer\fileproc.txt
C:\Program Files\Internet Explorer\filepath.txt

Details
Trojan.Win32.KillAV.bl
This is a primitive Win32 Trojan. The size of the executable file is 32238 bytes.
The program searches for and deletes the services and processes listed below:
claw95cf
claw95ct
cleaner
cleaner3
cmgrdian
connectionmonitor
cpd
cpdclnt
ctrl
defalert
defscangui
defwatch
dllhost
doors
dv95
dv95_o
dvp95
dvp95_0
ecengine
edi
efinet32
efpeadm
esafe
espwatch
etrustcipe
evpn
expert
f-agnt95
fameh32
fch32
fih32
findviru
fnrb32
fprot
f-prot
fprot95
f-prot95
fp-win
frw
fsaa
fsav32
fsgk32
fsm32
fsma32
fsmb32
f-stopw
gbmenu
gbpoll
generics
gibe
guard
guarddog
iamapp
iamserv
iamstats
ibmasn
ibmavsp
icload95
icloadnt
icmon
icmoon
icssuppnt
icsupp
icsupp95
icsuppnt
iface
iomon98
isrv95
jed
jedi
kpf
kpfw32
ldnetmon
ldpromenu
ldscan
lockdown
lockdown2000
lookout
luall
lucomserver
luspt
mcagent
mcmnhdlr
mcshield
mctool
mcupdate
mcvsrte
mcvsshld
mgavrtcl
mgavrte
mghtml
minilog
monitor
moolive
mpfagent
mpfservice
mpftray
msblast
msconfig
mspatch
mwatch
n32scan
n32scanw
nai_vs_stat
nav32_loader
navap
navapsvc
navapw32
navauto-protect
navengnavex15
navlu32
navnt
navsched
navw
navw32
navwnt
ndd32
neowatchlog
netutils
nisserv
nisum
nmain
nod32
normist
notstart
nprotect
npscheck
npssvc
nsched32
nsplugin
ntrtscan
ntvdm
ntxconfig
nui
nupdate
nupgrade
nvc95
nvsvc32
nwservice
nwtool16
ogrc
outpost
padmin
pavcl
pavproxy
pavsched
pavw
pcciomon
pccmain
pccntmon
pccwin97
pccwin98
pcfwallicon
pcscan
penis32
persfw
perswf
pop3trap
poproxy
portmonitor
processmonitor
programauditor
pview
pview95
rapapp
rav
rav7
rav7win
realmon
regedit
rescue
rtvscn95
rulaunch
safeweb
sbserv
scan32
scan95
scanpm
scrscan
scvhosl
serv95
smc
smss
sphinx
spider
spyxx
ss3edit
sweep
sweep95
sweepnet
sweepsrv.sys
swnetsup
symproxysvc
symtray
syshelp
taumon
tbscan
tc
tca
tcm
tcpsvs32
tds2
tds2-98
tds2-nt
tds-3
tfak
tftpd
vbcmserv
vbcons
vcleaner
vcontrol
vet32
vet95
vet98
vettray
vir-help
vpc32
vptray
vscan
vscan40
vsched
vsecomr
vshwin32
vsmain
vsmon
vsscan40
vsstat
watchdog
webscan
webscanx
webtrap
wfindv32
wgfe95
wimmun32
wingate
winhlpp32
wink
winmgm32
winppr32
winservices
wradmin
wrctrl
zapro
zonalarm
zonealarm
_avp
_avp32
_avpcc
_avpm
_findviru
ackwin32
advxdwin
agentw
alertsvc
alogserv
amon
amon9x
anti-trojan
ants
aplica32
apvxdwin
atcon
atguard
atupdater
atwatch
autodown
autotrace
avconsol
ave32
avgcc32
avgctrl
avgserv
avgserv9
avgw
avkpop
avkserv
avkservice
avkwctl9
avnt
avp
avp32
avpcc
avpdos32
avpm
avpmon
avpnt
avptc32
avpupd
avsched32
avsynmgr
avwin95
avwinnt
avwupd32
avxmonitor9x
avxmonitornt
avxquar
avxw
azonealarm
blackd
blackice
bootwarn
ccapp
ccshtdwn
cdp
cfgwiz
cfiadmin
cfiaudit
cfind
cfinet
cfinet32
claw95

Details
Trojan.Win32.KillAV.bk
This is a primitive Win32 Trojan program, written in C. It is compressed using UPX: the size of the compressed executable file is 5632 bytes, and uncompressed approximately 18KB.
The program searches for and deletes the services and processes listed below:
_avp
_avp32
_avpcc
_avpm
_findviru
ackwin32
advxdwin
agentsvr
agentw
ahnsd
alerter
alertsvc
alogserv
amon
amon9x
anti-trojan
antivirus
ants
apimonitor
aplica32
apvxdwin
atcon
atguard
atro55en
atupdater
atwatch
aupdate
autodown
autotrace
autoupdate
avconsol
ave32
avgcc32
avgctrl
avgserv
avgserv9
avgw
avkpop
avkserv
avkservice
avkwcl9
avkwctl9
avnt
avp
avp32
avpcc
avpdos32
avpexec
avpinst
avpm
avpmon
avpnt
avptc32
avpupd
avrescue
avsched32
avsynmgr
avwin95
avwinnt
avwupd32
avxmonitor9x
avxmonitornt
avxquar
avxw
azonealarm
bd_professional
bidef
bidserver
bipcp
bipcpevalsetup
bisp
blackd
blackice
bootwarn
borg2
bs120
ccapp
ccevtmgr
ccpxysvc
ccsetmgr
ccshtdwn
cdp
cfgwiz
cfiadmin
cfiaudit
cfind
cfinet
cfinet32
claw95
claw95cf
claw95ct
clean
cleaner
cleaner3
cleanpc
cmgrdian
cmon016
connectionmonitor
cpd
cpdclnt
cpf9×206
cpfnt206
csinject
csinsm32
css1631
ctrl
cv
cwnb181
cwntdwmo
defalert
defscangui
defwatch
deputy
dllhost
doors
dpf
drwatson
drweb32
dv95
dv95_o
dvp95
dvp95_0
ecengine
edi
efinet32
efpeadm
ent
esafe
escanh95
escanhnt
escanv95
espwatch
etrustcipe
evpn
exantivirus-cnet
expert
f-agnt95
fameh32
fast
fch32
fih32
findviru
firewall
fix-it
flowprotector
fnrb32
fprot
f-prot
fprot95
f-prot95
fp-win
fp-win_trial
frw
fsaa
fsav
fsav32
fsav530stbyb
fsav530wtbyb
fsav95
fsave32
fsgk32
fsm32
fsma32
fsmb32
fssm32
f-stopw
fwenc
gbmenu
gbpoll
generics
gibe
guard
guarddog
hacktracersetup
htlog
hwpe
iamapp
iamserv
iamstats
ibmasn
ibmavsp
icload95
icloadnt
icmon
icmoon
icssuppnt
icsupp
icsupp95
icsuppnt
iface
ifw2000
iomon98
iparmor
iris
isrv95
jammer
jed
jedi
kavlite40eng
kavpers40eng
kerio-pf-213-en-win
kerio-wrl-421-en-win
kerio-wrp-421-en-win
killprocesssetup161
kpf
kpfw32
ldnetmon
ldpro
ldpromenu
ldscan
localnet
lockdown
lockdown2000
lookout
lsetup
luall
luau
lucomserver
luinit
luspt
mcagent
mcmnhdlr
mcshield
mctool
mcupdate
mcvsrte
mcvsshld
mfw2en
mfweng3.02d30
mgavrtcl
mgavrte
mghtml
mgui
minilog
monitor
monsys32
monsysnt
monwow
moolive
mpfagent
mpfservice
mpftray
mrflux
msblast
msconfig
msinfo32
mspatch
mssmmc32
mu0311ad
mwatch
mxtask
n32scan
n32scanw
nai_vs_stat
nav32_loader
nav80try
navap
navapsvc
navapw32
navauto-protect
navdx
naveng
navengnavex15
navex15
navlu32
navnt
navrunr
navsched
navstub
navw
navw32
navwnt
nc2000
ncinst4
ndd32
neomonitor
neowatchlog
netarmor
netinfo
netmon
netscanpro
netspyhunter-1.2
netstat
netutils
nisserv
nisum
nmain
nod32
normist
norton_internet_secu_3.0_407
notstart
npf40_tw_98_nt_me_2k
npfmessenger
nprotect
npscheck
npssvc
nsched32
nsplugin
ntrtscan
ntvdm
ntxconfig
nui
nupdate
nupgrade
nvapsvc
nvarch16
nvc95
nvlaunch
nvsvc32
nwinst4
nwservice
nwtool16
offguard
ogrc
ostronet
outpost
outpostinstall
outpostproinstall
padmin
panixk
pathping
pavcl
pavproxy
pavsched
pavw
pcc2002s902
pcc2k_76_1436
pccclient
pccguide
pcciomon
pccmain
pccntmon
pccpfw
pccwin97
pccwin98
pcdsetup
pcfwallicon
pcip10117_0
pcscan
pcscanpdsetup
penis32
periscope
persfw
perswf
pf2
pfwadmin
ping
pingscan
platin
pop3trap
poproxy
popscan
portdetective
portmonitor
ppinupdt
pptbc
ppvstop
processmonitor
procexplorerv1.0
programauditor
proport
protectx
pspf
purge
pview
pview95
qconsole
qserver
rapapp
rav
rav7
rav7win
rav8win32eng
realmon
regedit
rescue
rescue32
route
routemon
rrguard
rshell
rtvscn95
rulaunch
safeweb
sbserv
scan32
scan95
scanpm
schedapp
scrscan
scvhosl
sd
serv95
setup_flowprotector_us
setupvameeval
sfc
sgssfw32
sh
sharedaccess
shellspyinstall
shn
smc
smss
sofi
spf
sphinx
spider
spyxx
srwatch
ss3edit
st2
supftrl
supporter5
sweep
sweep95
sweepnet
sweepsrv.sys
swnetsup
symproxysvc
symtray
sysdoc32
sysedit
syshelp
taskmon
taumon
tauscan
tbscan
tc
tca
tcm
tcpsvs32
tds2
tds2-98
tds2-nt
tds-3
tfak
tfak5
tftpd
tgbob
titanin
titaninxp
tmntsrv
tracerpt
tracert
trjscan
trjsetup
trojantrap3
undoboot
update
vbcmserv
vbcons
vbust
vbwin9x
vbwinntw
vccmserv
vcleaner
vcontrol
vcsetup
vet32
vet95
vet98
vettray
vfsetup
vir-help
virusmdpersonalfirewall
vnlan300
vnpc3000
vpc32
vpc42
vpfw30s
vptray
vscan
vscan40
vscenu6.02d30
vsched
vsecomr
vshwin32
vsisetup
vsmain
vsmon
vsscan40
vsstat
vswin9xe
vswinntse
vswinperse
vvstat
w32dsm89
w9x
watchdog
webscan
webscanx
webtrap
wfindv32
wgfe95
whoswatchingme
wimmun32
wingate
winhlpp32
wink
winmgm32
winppr32
winrecon
winroute
winservices
winsfcm
wnt
wradmin
wrctrl
wsbgate
wyvernworksfirewall
xpf202en
zapro
zapsetup3001
zatutor
zatutorzauinst
zauinst
zonalarm
zonalm2601
zonealarm

This Trojan downloads other files via the Internet and launches them for execution on the victim machine. It is an HTML page which contains Visual Basic Script and Java Script scenarios. It is 1238 bytes in size.

This Trojan downloads other files via the Internet and launches them for execution on the victim machine. It is an HTML page which contains Visual Basic Script and Java Script scenarios. It is 18716 bytes in size.

This Trojan downloads other files via the Internet and launches them for execution on the victim machine without the user’s knowledge or consent. It is an HTML page which contains Visual Basic Script and Java Script scenarios. It is 4774 bytes in size.

This malicious program is a Trojan. It is a Windows PE EXE file. It is 7205 bytes in size. It is packed using FSG. The unpacked file is approximately 40KB in size. It is written in C++.

This malicious program is a Trojan. It is a Windows PE EXE file. It is 7241 bytes in size. It is packed using FSG. The unpacked file is approximately 40KB in size. It is written in C++.

This Trojan downloads other programs to the victim machine via the Internet and launches them for execution without the user’s knowledge or consent. It is a Windows PE EXE file. It is 1893 bytes in size. It is packed using FSG. The unpacked file is approximately 14KB in size. It is written in…

This Trojan downloads other programs to the victim machine via the Internet and launches them for execution without the user’s knowledge or consent. It is a Windows PE EXE file. It is 1897 bytes in size. It is packed using FSG. The unpacked file is approximately 14KB in size. It is written in…

This Trojan downloads other programs to the victim machine via the Internet and launches them for execution without the user’s knowledge or consent. It is a Windows PE EXE file. It is 1893 bytes in size. It is packed using FSG. The unpacked file is approximately 14KB in size. It is written in…

This Trojan downloads other programs to the victim machine via the Internet and launches them for execution without the user’s knowledge or consent. It is a Windows PE EXE file. It is 1877 bytes in size. It is packed using FSG. The unpacked file is approximately 14KB in size. It is written in…

This Trojan downloads other programs to the victim machine via the Internet and launches them for execution without the user’s knowledge or consent. It is a Windows PE EXE file. It is 1929 bytes in size. It is packed using FSG. The unpacked file is approximately 14KB in size. It is written in…