| Port No | 7020 |
| Service Name | TrojanDropper |
| RFC Doc | 0 |
| Protocol | TCP |
| Description | This Trojan drops a copy of itself in the %Windows%\temp folder using the following file name:
51pywg´«Éñ.exe (Note: %Windows% is the default Windows folder, usually C:\Windows or C:\WINNT.) It then executes the said copy, which in turn drops several files on the affected machine, including the following malware: TROJ_LEGMIR.A TROJ_LMIR.RK This Trojan runs on Windows NT, 2000, and XP. |
| Reference Link | TrojanDropper |
| Attack | Solution: Removing Malware Entries from the Registry Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter. In the left panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Microsoft Windows>CurrentVersion>Setup Locate and delete the subkey: {4E70CB6D-E87A-46C2-847E-037E8C911386} Restoring Registry Modifications Still in the Registry Editor, in the left panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Microsoft> Windows NT>CurrentVersion>Winlogon In the right panel, locate the entry: Shell = "Explorer.exe scanregw.exe" and change this to its default value: Shell = "Explorer.exe" Close Registry Editor. NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system. Additional Windows ME/XP Cleaning Instructions Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems. |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.