Description added       Aug 29 2002
Behavior                    TrojanDownloader
Technical details:
Apher is malware virus in the wild that spreads as an attachment to spoofed e-mails using a legitimate Microsoft address. The email text is disguised as a Kaspersky Labs Anit-virus software update.
Below is a screen shot of a spoofed e-mail message infected with Apher:

Technical details:
This Trojan is a Windows PE EXE file. The file is 61 440 bytes in size.
Payload:
During installation, the Trojan creates a file and saves its configuration to this file:
%WinDir%\cchost.ini
This Trojan is designed to send spam from a victim machine. When launched, it attempts to download, in encrypted form, the spam that will be sent:
http://www.smalltool.net/remotewatch/send_****.php
It also downloads a list of email addresses from the following address:
http://www.smalltool.net/remotewatch/user****.php
The Trojan will then send the spam it downloaded to the addresses on the list.
Removal instructions:
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
Use Task Manager to terminate the Trojan process.
Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
Delete the following file:
%WinDir%\cchost.ini
Update your antivirus databases and perform a full scan of the computer (download a new version of Panda Internet Security 2007).

Description added    Mar 30 2007
Behavior                 PSW Trojan
Technical details:
This Trojan is designed to steal confidential data. It is a Windows PE EXE file. The file is 7,680 bytes in size. It is not packed in any way. It is written in C++.
Installation:
When launched, the Trojan copies itself to the Windows system directory:
%System%/ .exe
It then creates a file in the same place called .cfg.
The Trojan also adds the following parameter to the system registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
” .task” = “%System%/ .exe”
This ensures that the Trojan will be launched each time Windows is booted on the victim machine.
Payload:
This Trojan tracks the user’s actions on the victim machine.
It can:
log keystrokes;
record windows opened;
provides the option to indicate a specific window within which activity will be tracked.
The Trojan opens a random TCP port. It will attempt to connect to a mail server and send the harvested data.
Removal instructions:
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
Use Task Manager to terminate the Trojan process.
Delete the following files:
%System%/ .exe
%System%/ .cfg
Delete the following registry value:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
” .task”
Update your antivirus databases and perform a full scan of the computer (download a new version of Panda Internet Security 2007).

Description added    Feb 16 2007
Behavior                 TrojanClicker

Technical details:
This Trojan opens a variety of links without the knowledge or consent of the user. It is a Windows PE EXE file. It is 40,960 bytes in size. It is written in Visual Basic.

Payload:
Once launched, the Trojan will periodically open the following links without the user’s knowledge or consent:

http://www.mp3.com/****seuq
http://artists.mp3s.com/artist_stats/239/****seuq.html
http://artists.mp3s.com/artist_calendar/239/23****.html
http://play.mp3.com/cgi-bin/play/play.cgi/****

Removal instructions:
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
1.Use Task Manager to terminate the Trojan process:
2.Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
3.Update your antivirus databases and perform a full scan of the computer (download a new version of Panda Internet Security 2007). 
 

Description added Feb 19 2007
Behavior TrojanProxy
Technical details:This Trojan program turns the victim machine into a proxy server. It is a Windows PE EXE file. It is 27,136 bytes in size. It is packed using UPX. The unpacked file is approximately 60KB in size.
Installation:
The Trojan adds the following parameter to the Window system registry in order to ensure that its executable file will be launched automatically:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“UsbD” = ”

Payload:
The Trojan creates a SOCKS proxy server on a randomly chosen TCP port. The number of the open port and the victim machine’s network address will then be sent to the remote malicious user’s site. The remote malicious user will then be able to use the victim machine without the user’s knowledge or consent.
The Trojan will also periodically send an HTTP request to o.cjdra.com. In response it will get a URL to which it will then attempt to connect.
Removal instructions:
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
Use Task Manager to terminate the Trojan process.
Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
Delete the following key from the system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“UsbD” = ”
Update your antivirus databases and perform a full scan of the computer (download a new version of Panda Internet Security 2007).

Technical details:
This Trojan program makes it possible for a remote malicious user to use the victim machine as a proxy server. It is a Windows PE EXE file. The file is approximately 17KB in size. It is packed using UPack. The unpacked file is approximately 258KB in size.

Installation:
Onced launched, the Trojan drops the file shown below to %Documents and Settings%\%All Users%\Common Documents%\Settings.

arm32.dll — the attribute ‘hidden’ is assigned to this file
The Trojan ensures that its library will be loaded when the Winlogon process starts (on system boot):

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\arm32reg]
 ”Asynchronous”=”dword: 0×00000001″
 ”DllName”=”%Documents and Settings%\%All Users%\%Common Documents%\Settings\arm32.dll”
 ”Startup”=”arm32reg”
 ”Impersonate”=”dword: 0×00000001″
The Trojan constantly checks that this key is present in the registry, and will restore it if the key is manually deleted.

Payload:
The Trojan downloads a configuration file from the remote malicious user’s site, and saves it to the following folder:

%Documents and Settings%\%All Users%\%Common Documents%\Settings\desktop.ini
The Trojan launches the iexplore.exe process and injects its code into this process. This process will open a random TCP port. The remote malicious user will then be notified of the open port number.
This enables the remote malicious user to work as if from the victim machine within a network.

Removal instructions:
Use Kaspersky Anti-Virus 6.0 to delete the Trojan. Update your antivirus databases and perform a full scan of the computer (download a new version of Panda Internet Security 2007).

Technical details:
This Trojan program uses spoofing technology, and is a fake HTML page. It is designed to steal confidential information from clients of Bank of America.
It arrives as an email which appears to be an important message:

The email contains a link which uses the Frame Spoof Vulnerability in Internet Explorer.
The Frame Spoof Vulnerability is detailed in Microsoft Security Bulletin(MS04-004) and is present in versions 5.x and 6.x of Microsoft Internet Explorer. Microsoft published a document describing the vulnerability and how to recognize such fake links.
Once the user enters the site, and enters his/ her account details, they will be sent to the remote malicious user, who may then have full access to the user’s account.

Description added       Mar 07 2000
Behavior                    Macro Virus
Technical details:
This virus infects MS Access databases. While infecting the virus replaces in databases the Autoexec script and copies to database additional form named “Jo”. This form contains a module with one function “Jg”.
When infected database is opened the virus searches for all databases in the current directory and infects them. While searching the virus uses the “*.MDB” mask.
Before infecting the virus changes several system parameters: disables viewing macros by using hot-keys and on error while executing macros. The virus does not have any payload procedure.
The virus contains the “copyright” text:
Copyright (C) 1998 by FlyShadow ~^^~ - Lovely

Description added        Mar 22 2007
Behavior                     TrojanSpy
Technical details:
This Trojan tracks the user’s keystrokes, and is designed to steal confidential information. It is a Windows PE EXE file. It is 136,192 bytes in size. It is not packed in any way. It is written in Visual C++.

Installation:
When launched, the Trojan displays the following dialogue box:
The user is then required to enter certain paramters, including the following: Directory, password, file name and startup key name. The resulting Trojan file, called KeyProbe.exe (43 520 bytes in size) which functions in resident mode, will be dropped to the specified folder.
The Trojan creates the following registry key:[HKLM\Software\Rosebud Technologies LTD\Key Probe]
It also adds the following values to the system registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
“Key Probe” = “%WinDir%\KeyProbe.exe”
This ensures that the Trojan will be launched each time Windows is booted on the victim machine.

Payload:
The Trojan logs keystrokes Harvested data will be written to a log file called log.txt.
It is possible to configure the Trojan spy while it is running by pressing Shift five times and entering a password:
Removal instructions:
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
Use Task Manager to terminate the Trojan process and delete the Trojan file:
“%WinDir%\KeyProbe.exe”
Delete the following registry key:
[HKLM\Software\Rosebud Technologies LTD\Key Probe]
Delete the following values from the system registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
“Key Probe”
Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
Update your antivirus databases and perform a full scan of the computer (download a new version of Panda Internet Security 2007).

Technical details:
This Trojan spy program is designed to steal confidential financial information.
The Trojan itself is a Windows PE EXE file approximately 25KB in size, packed using FSG. The unpacked file is approximately 110KB in size.

Installation:
When installing itself to the system, the Trojan creates the following files in the Windows system directory:

%System%\winprint.dll
%System%\eps32sys.sys
TrojanSpy.Win32.Goldun.gu creates the following entries in the system registry:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winprint]
“DllName” = “winprint.dll”
“Startup” = “winprint”
“Impersonate” = “1″
“Asynchronous” = “1″
“MaxWait” = “1″
Payload:
TrojanSpy.Win32.Goldun.gu attempts to steal logins, passwords and other account information associated with e-gold online bank.

Removal instructions:
Delete the Trojan’s installation key from the system registry:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winprint]
Delete the following files:
%System%\winprint.dll
%System%\eps32sys.sys
Reboot the computer.
Perform a full scan of the computer (download a new version of Panda Internet Security 2007 here)