Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Vorofer (trojan)

Feb 19, 2004 11:38PM PST

Date Discovered: 2/2/2004
Date Added: 2/20/2004
Origin: Unknown
Length: 7680
Type: Trojan
SubType: Downloader

Detection was added to cover for a 32 bit binary PE file having a filesize of 7680 bytes. The file is internally compressed with upx. The filenames are variable and may include names that are very close to regular system files, for example, but not limited to, "taskmon.exe" and /or "system.exe".

When run on for example a win2000 system, it runs silenly, no gui messageboxes appear. It removes itself from the location it was initially run from and moves itself to the %win\%system directory such as c:\winnt\system\taskmon.exe.

The taskmon process is visible in the Windows Task Manager process tab as taskmon.exe. The process can be killed manually.

It makes changes to the registry to load itself automatically at startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run , with, in this case:

Name : System Update
Data : c:\winnt\system\taskmon.exe
Note: VirusScan not only kills the malicious Process but also removes the File and removes the added Registry link Automatically.

When running, it tries to connect to certain websites, the exact addresses omitted on purpose here.

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101039

Discussion is locked