This Trojan may be downloaded from the Internet. It may also be dropped by another malware. Trend Micro has detected that this Trojan is being spammed via email.

Upon execution, it executes the legitimate file SVCHOST.EXE and injects its process into the executed file. It does the said routine to hide its malicious routines.

It then connects to a certain URL to download and execute a file. The said file is detected as TROJ_GOBRENA.AC. As a result, the malicious routines of the download malware is executed on the affected system.

It terminates itself after successfully injecting its process.

Details:

This Trojan may be downloaded from the Internet. It may also be dropped by another malware. Trend Micro has detected that this Trojan is being spammed via email.

Upon execution, it executes the legitimate file SVCHOST.EXE and injects its process into the executed file. It does the said routine to hide its malicious routines.

It then connects to the URL http://www.eden21.net/flash/menu12.swf to download and execute the file USER16.EXE. The said file is stored in the root folder (usually C:\) and detected as TROJ_GOBRENA.AC.

It terminates itself after successfully injecting its process.

This Trojan runs on Windows 98, ME, NT, 2000, XP, and Server 2003.

Solution:

(Note: Restart your computer before proceeding with the following solution.)

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Running Trend Micro Antivirus

If you are currently running in safe mode, please restart your computer normally before performing the following solution.

Scan your computer with Trend Micro antivirus and delete files detected as TROJ_GOBRENA.AB and TROJ_GOBRENA.AC. To do this, Trend Micro customers must download the latest virus pattern file and scan their computer. Other Internet users can use HouseCall, the Trend Micro online virus scanner.