SCF Advanced Search

  • Total Posts: 41817
  • Total Topics: 15221
  • Online Today: 2119
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)

Author Topic:  (Read 4313 times)

0 Members and 1 Guest are viewing this topic.


  • SCF Global Moderator
  • *****
  • Posts: 1076
  • KARMA: 22
  • Gender: Male
« on: 17. May 2007., 16:09:59 »
Discovery Date
24,064 bytes
Minimum DAT
4994 (03/28/2007)
Updated DAT
4996 (02/02/2007)
Minimum Engine
Description Added
Description Modified

Overview -

The "" trojan is designed to download files from a remote site.
Pushu.A!tr (Fortinet)
Troj/Pushu-A (Sophos)
Trojan-Dropper.Win32.Small.avu (Kaspersky)
Trojan.Pandex (Symantec)
Characteristics -

-- Update March 27, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:

The "" trojan is designed to download files from a remote site.

Upon execution, the trojan drops the following files:
%Windir%\System32\drivers\ip6fw.sys (
%Windir%\System32\drivers\runtime.sys (
%Windir%\System32\5_exception.nls (

(Where %Windir% is the Windows folder, e.g. C:\Windows)

It adds the following registry keys:
"ImagePath" =  \??\%Windir%\System32\drivers\runtime.sys
"ErrorControl" = 1
"Start" = 3
"Type" = 1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Runtime "ImagePath"
"ImagePath" =  \??\%Windir%\System32\drivers\runtime.sys
"ErrorControl" = 1
"Start" = 3
"Type" = 1

The trojan injects a code into the process "IExplore.exe". The injected code attempts to download files from the following remote site.
Symptoms -

Existence of mentioned files and registry keys.
Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.
Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
# Online Anti-Malware Scanners:,734.0.html

Samker's Computer Forum -
« on: 17. May 2007., 16:09:59 »


With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters)

Enter your email address to receive daily email with ' - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising