TROJ_WINCRASH.B Aliases: WINCRASH.B Description: TROJ_WINCRASH.B is a Backdoor Trojan that is used to manipulate a remote PC. It has two components: the client program (used to hack the server computer), and the server program (run in the computer intended to be hacked). Solution: 1.Delete all instances of TROJ_WINCRASH.B as detected by our product to ensure re-infection does not occur. To do this Trend customers must download the latest pattern file and scan their system. Other email users may use Trend HouseCall, a free online virus scanner. 2.Click START|Run Type sysedit and hit enter key. 3.Select the WIN.INI window and edit it by deleting the command run=drive:\Windows\SERVER.EXE where “drive” is where Windows is installed. Then save the new system configuration by selecting File| Save menu option. 4.Exit in sysedit. 5.Click START|SHUTDOWN. Choose "Restart in MS-DOS mode" and click OK. 6.After the computer has restarted, the default directory should be C:\WINDOWS. If not, type "CD C:\WINDOWS. Delete in this directory the file name: server.exe. 7.Type “CD SYSTEM”, delete the files: msvsrv.exe, mdihole.exe, redire32.exe, register.exe and msdecay.exe. 8.Press CTRL+ALT+DEL and allow Windows to restart. In the wild: No Trigger date 1: Any Day Payload 1: Others (hacker tool) Detected by pattern file#: 704 Detected by scan engine#: 5.10 Language: English Platform: Windows Encrypted: No Size of virus: Server: 347136 B Details: This Trojan is effective only if the server program is run on a specific computer that a hacker wants to connect to. The server program is the program that allows the hacker to connect to the remote PC. The server program, when run, drops the following files in the Windows\System folder: Msvsrv.exe- 26,112 bytes Mdihole.exe – 6,146 bytes Redire32.exe- 31,744 bytes Register.exe - 4,128 bytes Msdecay.scr 20,992 bytes The dropped file, Register.exe, which is detected as JOKE_FLIPPED by our product, causes the screen display to flip. Msdecay.scr is set to be the default screen saver, which shows a melting screen. The other files are used by the server program as its component files to ensure proper execution. The Trojan also drops a copy of itself as SERVER.EXE in the Windows folder. Then the Trojan modifies WIN.INI by adding the following line, so that the dropped file is run at every Startup: run=drive:\Windows\SERVER.EXE The client program of the Trojan can be used to manipulate the computer of the victim running the server program. This client program enables the hacker to perform functions such as: Controlling external devices – keyboard, mouse, printer, monitor, and CD-Rom. Control windows – taskbar, start button Get System Information of the Server Shut down or disconnect from the Server Source: Trend Virus Encyclopedia