|
 |
|
Remove Trojan win32 Tilcun pws
Summary
Win32/Tilcun is a family of trojans that steals online game passwords and sends this captured data to remote sites.
Symptoms
System Changes
The following system changes may indicate the presence of Win32/Tilcun:
Presence of the following file:
\winsys.reg
Technical Information
Win32/Tilcun is a family of trojans that steals online game passwords and sends this captured data to remote sites.
Installation
When executed, Trojan:Win32/Tilcun drops a DLL to the System folder using a variant-specific filename (for example, one variant drops the file \wrqszl.dll). It then drops another file, \winsys.reg and uses it to modify the registry to load the DLL at each Windows start:
Adds value: “0”
With data: "{}"
To subkey: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS
Add value:
With data “(default)”
To subkey: HKLM\SOFTWARE\Classes\CLSID\\INPROCSERVER32
where is a hex string for the CLSID and is the filename of the dropped DLL mentioned above.
For example:
Adds value: "(default)"
With data: "\wrqszl.dll"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{F99DEFDD-200B-4410-B572-E90883D527D2}\INPROCSERVER32
Note - refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
Payload
Steals Online Game Passwords
Win32/Tilcun sets up hooks in order to capture login information for popular online games. It then sends the captured data to a remote site.
This Malious Software can be removed using MICROSOFT MALICIOUS SOFTWARE REMOVAL TOOL
download microsoft malicious software removal tool
|
| | |
 |
|
|
Anti Virus - Spyware Removal - Trojan Removal - Registry Repair