Wednesday, May 11, 2011

How to remove malware belonging to the family Trojan-PSW.Win32.Kates

How to remove malware belonging to the family Trojan-PSW.Win32.Kates

In this section you will find recommendations how to fight malicious programs which cannot be disinfected by Kaspersky Lab's products. In order to disinfect/remove malicious programs you may have to modify the system registry or use an additional utility. If you failed to find the necessary information or you find these recommendations too complicated or inadequate, please send a request to the Technical Support service via the HelpDesk form.

A trojan is a term used to describe a type of malware designed to harm computer systems. Trojans are not self-replicating. Some trojans are capable of autonomous penetration through computer protection systems aiming to invade and infect the system. Usually trojans penetrate a system along with a virus or a worm in the result of careless behavior of the user or through an active attack attempt.

Trojan password stealers (Trojan-PSW) are trojans designed to steal passwords and other confidential data without using keystroke logging. Such trojans have means to extract passwords from the files used by applications to store them.

To disinfect a system compromised with malware belonging to the family Trojan-PSW.Win32.Kates (also known as W32/Daonol) use Kaspersky Anti-Virus installed on the PC. If you do not have Kaspersky Anti-Virus installed, we recommend to install a Kaspersky Lab application or use the utility KatesKiller.exe in order to remove malware belonging to the family Trojan-PSW.Win32.Kates.

Disinfection of an infected system

* Download the archive and extract it into a folder on the infected (or potentially infected) PC using an archiver program (for example, WinZip).
* Run the KatesKiller.exe file.
* Wait for the scan and disinfection to finish. No reboot is needed after disinfection.

Optional parameters to run the utility from command line

-l <file_name> - write log to the file.

-v – detailed logging (must be used in combination with the parameter -l)
-s – scan in “silent” mode (without opening console box).
-y – when the utility finishes, its window will be closed

Signs of Trojan-PSW.Win32.Kates infection

* Antivirus software detects an infected file with random name and extension. When deleted, such file immediately restores (it does not refer to Kaspersky Lab applications. Kaspersky Anti-Virus has a special disinfection procedure).

* explorer.exe terminates at an attempt to start any of the following applications:

o Registry editor (regedit.exe);
o Command line (cmd.exe);
o Total Commander.
* Files with the following extensions cannot be started:
o .bat;
o .reg.
* The following functions are hooked in almost all processes:
o CreateProcessW;
o WSARecv;
o WSASend;
o send;
o connect;
o recv.

An experienced user can track the hooks using the utility Gmer, for example:

or Rootkit Unhooker:

When run without parameters, the utility:

* Detects and kills malicious threads;

* Detects function hooks, and unhooks functions:

o CreateProcessW;
o WSASend;
o WSARecv;
o send;
o recv;
o connect.
* Detects and removes files and registry keys belonging to the malicious program.

* No reboot is needed after disinfection.

No comments:

Post a Comment