Windows Startup Programs database
Startup Programs - Dangerous - M
Home
Features
On-line Guide
Help On-line
Screenshots
Order
Download
Localization
Awards
Support
NI Forum
Mickey Forum
Greatis Forum
Startup Programs
Application Database
Hot!
Download:
RegRun 4.0 beta 2
What's new?
Greatis Home
Subscribe:
The Application Database
suggests you which Windows startup programs are usefual and which are bad.
The recommended tool for quickly removing the useless programs is
RegRun Startup Optimizer
.
www.startupapps.com
Purchase RegRun Suite
Download RegRun Suite
Search Database for:
RegRun
>
Greatis Startup Application Database
> Dangerous >
M
m2.exe
m2_dll.exe
m2_jpg.exe
m2_rundll16.exe
m2_selfaxtractor.exe
mages.exe
magic.exe
mailshtirlitz.exe
mainserver.exe
makeskinz.exe
manual.exe
marco!.scr
master.exe
masterserver.exe
matcher.exe
matersparadiswvb9,9.exe
mbt.exe
mdihole.exe
melt.exe
memore.exe
memory.exe
mexplore.exe
mgadeskdll.exe
mgsrv32.exe
mh.exe
microsoft internet office.exe
midsong.exe
millenium.exe
mine.exe
mirc32.exe
mircplus.exe
mirko.bat
mome.exe
monica.exe
moonpie.exe
mosucker.exe
mosucker2.0.exe
mp98b.exe
mpisvc.exe
mpl32.exe
mprdll.exe
mprexe16.com
ms16prn.exe
ms216.exe
ms32cfg.exe
msbin32.exe
msblast.exe
msccn32.exe
mschost.exe
mschv32.exe
msclient.exe
mscnt.exe
msconfig32.exe
mscstat.exe
msctvr.exe
mscvb32.exe
msdos98.exe
msdspr.exe
msgate.exe
msgbs1.vxd
msgran.exe
msgsrv.cxe
msgsrv16
msgsrv16.exe
msgsrv36.exe
msgsvr16.exe
msgsvr36.exe
msgsvr64.exe
msi211.exe
msi216.exe
msie50h.exe
msiesh.dll
msiexec16.exe
msiexec32.exe
msinfo.exe
msinit.exe
msjet32.exe
mskernel16.exe
mskernel32.vbs
mslti64.exe
msmachine.exe
msmdm.exe
msnetcfg.exe
msnmessengerupdate.exe
msnmsgs.exe
msnservice.exe
msnss.exe
msreg.exe
msrege.exe
msregscn.exe
msrexe.exe
msscra.exe
mssearch.dll
msserv.exe
msset32.exe
msskbtfm.exe
msslut32.exe
mssmgrd.exe
mssystem98.exe
mstask32.exe
mstaskmon.exe
mstconfig.exe
mstcpip.exe
mstesk.exe
msvbvm60.exe
msvchost.exe
msvsrv.exe
msvxd.exe
mswctl32.exe
mswin32.drv
mswin32.exe
mswinsck.exe
mswinsrv.exe
mswinupd.exe
msxxxx.exe
msys32.exe
mtmtask.dl
mtx_.exe
music.exe
musirc4.72.exe
mutihaka.exe
my life.scr
mybabypic.exe
mypic5.exe
myromeo.exe
m2.exe
Steals passwords / Mail trojan
Can be configuered to register on several different places. Alters Win.ini and/or System.ini, or may be found in the Registry under HKEY_LOCAL_MACHINE\ and/or HKEY_CURRENT_USER.
m2_dll.exe
Steals passwords / Mail trojan
Can be configuered to register on several different places. Alters Win.ini and/or System.ini, or may be found in the Registry under HKEY_LOCAL_MACHINE\ and/or HKEY_CURRENT_USER.
m2_jpg.exe
Steals passwords / Mail trojan
Can be configuered to register on several different places. Alters Win.ini and/or System.ini, or may be found in the Registry under HKEY_LOCAL_MACHINE\ and/or HKEY_CURRENT_USER.
m2_rundll16.exe
Steals passwords / Mail trojan
Can be configuered to register on several different places. Alters Win.ini and/or System.ini, or may be found in the Registry under HKEY_LOCAL_MACHINE\ and/or HKEY_CURRENT_USER.
m2_selfaxtractor.exe
Steals passwords / Mail trojan
Can be configuered to register on several different places. Alters Win.ini and/or System.ini, or may be found in the Registry under HKEY_LOCAL_MACHINE\ and/or HKEY_CURRENT_USER.
mages.exe
Worm / File virus
Alters Win.ini. "Between midnight and 2.00am on Wednesdays the worm attempts to display an animated graphic of Adolf Hitler shooting himself in the head." (Sophos)
magic.exe
ServeMe
FTP server
mailshtirlitz.exe
Name: Shtirlitz
Steals passwords
mainserver.exe
FTP server (?) / Remote Access
makeskinz.exe
Remote Access
Alters Win.ini and System.ini. A servereditor makes it possible for an intruder to change the port used and the UIN to notify upon a new succesful installation.
manual.exe
Remote Access
marco!.scr
Dangerous Virus. Kill it!
master.exe
Remote Access
masterserver.exe
Remote Access / ICQ trojan
Works on Windows 95 and 98, together with ICQ. Also uses Telnet as client. The Zip-file password = xc4an.
matcher.exe
W32/Matcher@MM Virus.
Kill it!
More info:
http://www.symantec.com/avcenter/venc/da...
matersparadiswvb9,9.exe
Remote Access
mbt.exe
Mailsending trojan
Can mailbomb another user
mdihole.exe
Remote Access
Alters Win.ini.
melt.exe
Remote Access
DeepBO is a modified client for Back Orifice. Spreads as one of two utilities: "Nonuke" and "ICQ Inhancer".
memore.exe
Trojan.KillAV.C is a Trojan Horse that disables antivirus and firewall applications.
It is most likely used in conjunction with other threats, such as Backdoor.Zinx or another Backdoor.Trojan.
When this trojan runs, it performs the following actions:
Registers itself as a process.
Copies itself to %Windir%\memore.exe. (The existense of the file memore.exe is an indication of a possible infection.)
Sets the following registry value:
"Memory Check" = "%Windir%\memore.exe"
in the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the Trojan runs when Windows starts.
Opens a shell and executes the following commands:
NET STOP NAVAPSVC
NET STOP AVPCC
NET STOP PERSFW
so that these processes are stopped.
You can use Use RegRun Startup Optimizer to disable this trojan at startup.
memory.exe
Anonymous mailer, mail proxy
Sets up a mail relay, or mail proxy, so that anyone can send mails and make them look like they came from the victim.
mexplore.exe
W32.Yaha.AE@mm is a variant of the W32.Yaha.J@mm worm that does the following:
Terminates some antivirus and firewall processes.
Uses its own SMTP engine to email itself to all the contacts in Windows Address Book, MSN Messenger, .NET Messenger, Yahoo Pager, ICQ Pager,
as well as in all the files whose extensions contain the letters HT.
Attempts to spread itself through network-shared folders and mapped drives.
Attempts to spread itself through the KaZaA file-sharing network.
Installs a keylogger and emails the logs to its author.
Performs Denial of Service (DoS) attacks to some specified and random hosts on TCP ports 135, 139, and 445.
The email message has a randomly chosen subject line, message, and attachment name. The attachment will have a .com, .exe, or .zip file extension.
For additional information go to the:
http://securityresponse.symantec.com/avc...
Use RegRun Startup Optimizer to remove it from startup.
mgadeskdll.exe
Remote Access / ICQ trojan
Sockets des Troie is French for Trojan Sockets and was one of the very first Remote Access trojans being published.
mgsrv32.exe
Prank trojan
Reboots a computer remotely.
mh.exe
Steals passwords
microsoft internet office.exe
Sircam dangerous virus. Before removing from hard disk you must restore default file extension for exe files.
midsong.exe
Worm / File virus
Alters Win.ini. "Between midnight and 2.00am on Wednesdays the worm attempts to display an animated graphic of Adolf Hitler shooting himself in the head." (Sophos)
millenium.exe
Distributed DoS tool
Alters System.ini (on Windows 95 and 98). Is installed in several different places in the Autostart section. Mre.dll is added tothe Drivers section in System.ini. The trojan usually spreads as a mail attachement disguised as a zip file.
mine.exe
Steals passwords
Alters Win.ini. May alter System.ini. Steals AOL and AIM passwords. It is hard to remove because the user is stopped from entering Win.ini and Regedit, or from booting in DOS.
mirc32.exe
Backdoor.IRC.Spybuzz is a backdoor Trojan horse that uses Internet Relay Chat networks as its backdoor channels.
Copies itself as %System%\Mirc32.exe.
Creates a thread that continuously monitors the registry.
Adds the value:
"Winsock2 driver"="MIRC32.exe"
to the registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Creates a thread that logs key strokes and creates the file, %System%\keylog.txt, to store the keystrokes.
Connects to predefined set of IRC servers at port 6667 and waits for commands from the attacker.
Once the backdoor is established, the attacker could control the infected system.
Some of the actions the attacker can perform include:
- Downloading and executing files
- Launching Denial of Service attacks
- Stealing information
- Listing, stopping, and creating processes
- Controlling the file system and list, deleting, renaming, and creating files
Use RegRun Startup Optimizer to automatically remove this registry item.
mircplus.exe
Worm / Mail trojan
If the victim´s copy of WinZip is not registred, the worm tries to do it. Apulia 4 uses all addresses in Outlook and sends a mail with the subject "Crack for ICQ".
mirko.bat
VBS.Krim.G@mm is a mass-mailing worm that sends itself to contacts in the Microsoft Outlook address book and propagates through IRC.
If the C:\mirko.bat file is deleted or renamed, it will modify the autoexec.bat file to format the C: drive.
Arrives as an attachment to an email with the following characteristics:
Subject: SYMANTEC NORTON ANTIVIRUS
Body: REMOVE VIRUS SASSER
Attachment: mirko.bat
Searches for an mIRC installation in any of the following folders:
C:\Mirc
C:\Mirc32
C:\Program Files\Mirc
C:\Program Files\Mirc32
If the worm locates an mIRC installation, it creates a script.ini file to send itself to other IRC users.
Displays the following message:
Hello %username%
Launches C:\mirko.vbs and sends itself to all email addresses in the Outlook address book.
Manual removal:
Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete the value: "mirko"="c:\mirko.bat"
mome.exe
Remote Access / Virus dropper
Among other features the trojan can drop the Ping-Pong virus.
monica.exe
Worm / Mail trojan
Uses several different names to name the attachement, which can be mailed by either Netscape Mail, MS Outlook or MSOutlook Express.
moonpie.exe
Remote Access / Keylogger
Telnet can be used as client to port 25982 and record anything typed on the infetced computer.
mosucker.exe
Remote Access
May alter System.ini and/or Win.ini. One can choose to let Mosucker randomly decide what autostart method to use. Produces an error message while installing ""Could not find setuplog.bat"" which apparently is used for autostarting. It copies itself to $temp first, as a file named pkg*.exe, ""pkg"" being a fix string. It also copied itself to $windows/unin0686.exe.
mosucker2.0.exe
Remote Access
May alter System.ini and/or Win.ini. One can choose to let Mosucker randomly decide what autostart method to use. Produces an error message while installing ""Could not find setuplog.bat"" which apparently is used for autostarting. It copies itself to $temp first, as a file named pkg*.exe, ""pkg"" being a fix string. It also copied itself to $windows/unin0686.exe.
mp98b.exe
Remote Access
mpisvc.exe
Backdoor.Mipsiv is a Trojan horse that connects to an IRC server and allows an attacker to preform keylogging and network scanning functions.
Copies itself as %System%\mpisvc.exe.
Adds the value: "MapiDrv" = "%System%\mpisvc.exe"
to the registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Attempts to connect to a predetermined IRC server and channel on TCP port 443.
Awaits commands from an attacker.
The Trojan provides the attacker with keylogging and network scanning functionality.
Use RegRun Startup Optimizer to remove this worm.
mpl32.exe
Troj/Loony-M is a backdoor Trojan which allows unauthorised remote access to the infected computer via IRC channels.
It may display a fake error message with the title "Error-388" and the text "A valid driver.dll file was not found".
Manual removal:
Locate the HKEY_LOCAL_MACHINE entry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
and delete the value: MPL32 Driver = "MPL32.exe" if it exists.
Or use RegRun Startup Optimizer to automatically remove it from startup.
mprdll.exe
Remote Access / Steals passwords
The client also drops a server! The hacker could choose to log passwords only or all text written. One of the functions is to kill antivirus software.
mprexe16.com
Remote Access / FTP server
ms16prn.exe
Backdoor.Throd.a
Throd is a Trojan that allows a 'master' to use the zombie machine as a proxy server.
The Trojan copies itself in the Windows system folder under a randomly combined multi-partite name:
ms, svc, win, 16, 32, 64, mes, prn, reg
"ms16prn.exe", for example.
In order to auto-launch, the Trojan creates a key in the system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
with one of the following names chosen at random:
MS Driver Management
Synchronization Messager
System Directory Service
System Service Control
Windows Messaging System
Throd then attempts to connect to several remote servers and onpass ID information, including IP address and so forth, to the virus coder.
Throd accepts commands from the remote 'master' collets email addresses from the MS Outlook address book in to the mseml.dll file
and uses an http commands to send them to the same remote sites.
Throd can install and launch random files on command.
Throd also works as a proxy server and is capable of accepting and sending any type of data.
Automatic removal:
Use RegRun Startuip Optimizer to remove this worm.
ms216.exe
Worm / Destructive trojan / Network trojan
Alters Win.ini. It is also found in Windows Startup Directory. Msinit spreads itself through open network shares and disables infected computers from the network. Most of the files are packed using different versions of UPX. Dnetc is a legitimite program that may have been installed previously. In this case it´s used illegally.
ms32cfg.exe
W32/Rbot-IB is a worm which attempts to spread to remote network shares and allows unauthorised remote access to the computer via IRC channels.
Spreads to network shares with weak passwords or via network security exploits as a result of the backdoor Trojan element receiving the appropriate command from a remote user.
Manual removal:
Navigate to each of these keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
From each key that is found, delete the value: Microsoft Features = ms32cfg.exe
msbin32.exe
Steals passwords / Keylogger
msblast.exe
Lovesan worm.
This worm scans several IP networks (randomly choosen) to get access to port 135 (COM).
The worm sends a buffer-overrun request to vulnerable computers. The newly infected machine then initiates the command shell on TCP port 4444.
Lovesan runs the thread that opens the connection on port 4444 and waits for FTP 'get' request from the victim machine. The worm then forces the victim machine to sends the 'FTP get' request. Thus the victim machine downloads the worm from the infected machine and runs it. The victim machine is now also infected.
Removal:
remove it from startup by RegRun Startup Optimizer.
msccn32.exe
I-Worm.Palyh.
Palyn is a worm virus spreading via the Internet as a file attachment to infected emails.
The worm also spreads via local area networks and it masquerades as a
message from Microsoft's technical support.
Open RegRun Startup Optimizer, uncheck all msccn32.exe items and click
on the Optimize.
mschost.exe
W32.Blaster.K.Worm is a worm that exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
The worm targets only Windows 2000 and Windows XP computers.
It recommends that you block access to TCP port 4444 at the firewall level, and then block the following ports, if you do not use the following applications:
TCP Port 135, "DCOM RPC"
UDP Port 69, "TFTP"
The worm also attempts to perform a Denial of Service (DoS) on the Microsoft Windows Update Web server (windowsupdate.com).
This is an attempt to prevent you from applying a patch on your computer against the DCOM RPC vulnerability.
When worm is executed, it does the following:
Generates an IP address and attempts to infect the computer that has that address.
Sends data on TCP port 135 that may exploit the DCOM RPC vulnerability. The worm sends one of two types of data: either to exploit Windows XP or Windows 2000.
Uses Cmd.exe to create a hidden remote shell process that will listen on TCP port 4444, allowing an attacker to issue remote commands on an infected system.
Listens on UDP port 69. When the worm receives a request from a computer it was able to connect to using the DCOM RPC exploit, it sends mschost.exe to that computer and then executes it.
The worm contains the following text in the code:
Can you hear me? I LOVE YOU SAN!!
Sucky gates why do you made this windows? Stop fooling around and make good things!!!
Use RegRun Startup Optimizer to automatical remove this worm from system registry.
mschv32.exe
DoS tool / ICQ trojan / Steals passwords (?)
Can be used to flood a chanel with thousands of messages.
msclient.exe
Worm / Destructive trojan / Network trojan
Alters Win.ini. It is also found in Windows Startup Directory. Msinit spreads itself through open network shares and disables infected computers from the network. Most of the files are packed using different versions of UPX. Dnetc is a legitimite program that may have been installed previously. In this case it´s used illegally.
mscnt.exe
Adult content dialer.
This program tries to auto dialing to the adult phones by modem.
Suggest to open RegRun Startup Optimizer and remove it.
msconfig32.exe
W32.Tulu virus.
When W32.Tulu is executed, it attempts to copy itself as
%system%\Rundll32.exe
and
%windir%\Msconfig32.exe
where:
%windir% is C:\Windows or C:\Winnt
%system% is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Virus add the value:
shell %system%\rundll32.exe
to the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the worm runs each time that you start Windows.
Also creates the registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Ktulu
This key is used by the macro component of the virus.
The virus next attempts to locate the Microsoft Word global template, Normal.dot.
If the virus finds the file, it infects the file with a macro virus. The only purpose of the macro virus is to execute the W32.Tulu virus.
The virus now stays memory resident. Every few minutes, it attempts to copy itself to drive A.
How to delete this virus:
1. Run a full system scan whit your antivirus tools.
If any files are detected as infected with W32.Tulu, click Delete.
For example, Symantec antivirus products detect this macro component as W97M.Tulu.
If any files are detected as infected with W97M.Tulu, click Repair.
2. Delete the value "shell" from the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
mscstat.exe
Changes IE homepage. Installed by Morpheus.
Remove it from startup.
Delete files from disk:
MSCSTAT.EXE
MBHO.DLL
MSC020522.de a
d020326.de.xml
The numbers may be different but the format is: MSC######.DE and
AD######.de.xml
msctvr.exe
Steals passwords / EXE Binder
Uses a Configuration Wizzard to specify the details. Uses the ASPack 2000 compression utility.
mscvb32.exe
Sobig worm.
The worm is spread by e-mail.
When a user clicked on the attached file, the worm installs itself to the system and runs a spreading routine.
The Sobig.c worm also creates the file msddr.dat in the Windows directory and writes to this file the email addresses that were found on the infected machine.
Removal:
remove it by Start Control.
msdos98.exe
Steals passwords
Alters Win.ini. May alter System.ini. Steals AOL and AIM passwords. It is hard to remove because the user is stopped from entering Win.ini and Regedit, or from booting in DOS.
msdspr.exe
W32.Solame.A is a worm that spreads using the backdoor that the variants of W32.Mydoom@mm create. Also Known as Exploit-Mydoom.
Moves itself to %System%\Msdspr.exe.
Adds the value: "Windows Automation"="msdspr.exe"
to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds the value: "Windows Automation"="msdspr.exe"
to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Connects to an IRC server and sends abusive messages to users.
Attempts to connect to the IP address on TCP port 3127, which is associated with the variants of W32.Mydoom@mm.
If the connection is successful, it will use a malware command to upload and execute the worm.
This is likely to cause a visible slowdown on an infected system.
Use RegRun Startup Optimizer to automatically remove it from startup.
msgate.exe
W32/Sdbot-OK is a worm which attempts to spread to remote network shares.
It spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user.
Copies itself to the Windows system folder as MSGATE.EXE and creates the following registry entry to run itself on system logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\msgate = msgate.exe
Remove it from startup with RegRun Startup Optimizer.
msgbs1.vxd
Trojan.Win32.KillDisk.f
This Trojan is extremely dangerous.
It installs itself on the system as a driver, and starting from 27th April 2004 it will delete data from the hard disk.
In systems running Windows 9x, the Trojan installs itself as the driver
MSGBS1.VXD
In systems running Windows NT/2000/XP and all subsequent versions, it installs itself as the driver
ACPI89.SYS
The Trojan also creates the following two files:
C:\Program Files\Internet Explorer\fileproc.txt
C:\Program Files\Internet Explorer\filepath.txt
msgran.exe
W32.Gramos is a network-aware worm that downloads the Trojan proxy, Backdoor.Ranck.
It does the following:
Downloads the Trojan proxy, Backdoor.Ranck, from a hard-coded URL, copies it to C:\winnt\Mh.exe, and then executes it.
Registers itself as a service process on Windows 95/98/Me systems to hide itself from the task list.
Calculates a random IP address.
Enumerates the users on the remote server and then attempts to connect using these usernames with a blank password.
Copies itself to \\
\c$\winnt\system32\Msgran.exe.
Remotely schedules a task to run the worm on the newly infected computer.
To remove it from autorun section, navigate to the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value:
"Messenger start-up"="Msgran.exe"
Use RegRun Startup Optimizer to automatically remove it.
msgsrv.cxe
Trojan.Wintrash is a Gentee installer which drops files that damage Windows.
It causes Windows to restart immediately each time you try to start it.
This Trojan also disables critical registry keys.
When Trojan.Wintrash runs, it performs the following actions:
Displays a black bitmap that masks the screen and the activities that the Trojan performs.
Restarts Windows.
Drops the following files: %Windir%\temp\chichie.cxe; %Windir%\temp\chidk.cxe; %Windir%\temp\winfd.cxe; %System%\msgsrv.cxe; %Windir%\xfwfm.cxe;
Windows desktop\Wincfd
Changes the Value data of these registry keys to prevent you from editing the Windows registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Policies\System
to: "DisableRegistryTools"=dword:00000001
Adds the value: "MSGSRV" = "MSGSRV.CXE"
to these registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run
Creates the registry key: HKEY_CLASSES_ROOT\.cxe
with the value: "(Default)"="exefile"
so that the files that have the .cxe extension run as executables.
Changes the Value data of: HKEY_CLASSES_ROOT\.exe
to: "(Default)"="Htmlfi1e"
so that .exe files do not run, and the Trojan runs each time you try to run any .exe file.
Adds the values:
"NoRun" = dword:00000001
"NoDrives" = dword:00000001
to the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
This causes Windows to shut down immediately after starting and causes any Windows display of drive icons to not include any hard drives associated with the system. Data on the drives is not affected, only the way Windows is displayed. Drive information is still available from native DOS on Windows 95/98/Me.
Removal: Please manual delete all registry keys described above.
msgsrv16
Indoctrination trojan
msgsrv16.exe
Name: Shorm
Worm / Steals passwords / Network trojan
Propagates to all shared discs. Autostarts using Windows Startup directory. Passwords and users names are mailed to two addresses in Russia. The .exe file is compressed using ASPack. It connects to a Web page in Russia, both to receive IP addresses to scan and to update itself.
msgsrv36.exe
Frenzy trojan
msgsvr16.exe
Remote Access
msgsvr36.exe
Remote Access
msgsvr64.exe
Remote Access
A very basic RAT.
msi211.exe
Worm / Destructive trojan / Network trojan
Alters Win.ini. It is also found in Windows Startup Directory. Msinit spreads itself through open network shares and disables infected computers from the network. Most of the files are packed using different versions of UPX. Dnetc is a legitimite program that may have been installed previously. In this case it´s used illegally.
msi216.exe
Worm / Destructive trojan / Network trojan
Alters Win.ini. It is also found in Windows Startup Directory. Msinit spreads itself through open network shares and disables infected computers from the network. Most of the files are packed using different versions of UPX. Dnetc is a legitimite program that may have been installed previously. In this case it´s used illegally.
msie50h.exe
Remote Access / FTP server / CQ trojan
InCommand can bind (join or wrap) its server to any other .exe file, and can also add extra legth to it to avoid searches on specific file length. It uses selfinstalling plug-ins to add features to the trojan and can thousands of icons stored inside the EditServer file.
msiesh.dll
This is Trojan program TROJ_IEFEATS.A.
Read more:
http://www.trendmicro.com/vinfo/virusenc...
Remove it from startup.
msiexec16.exe
Troj/OptixP-13 Trojan
This is a backdoor for someone who want to take an unauthorised remote access to the computer over a network.
Troj/OptixP-13 moves itself to the system directory with a predefined name such as explorer.exe or msiexec16.exe.
Also adds entries to the registry at:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
and/or
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Troj/OptixP-13 send a message about the infection through ICQ via the webaddress web.icq.com.
Removal:
launch RegRun Startup Optimizer to do this operation.
msiexec32.exe
W32.Ainesey.A@mm is a mass-mailing worm that sends a copy of itself to all the email addresses gathered from the computer.
The Subject, Body, and Attachment name in the email vary.
Creates a copy of itself as %Windir%\Msiexec32.exe.
Creates the file, %Windir%\Winexec.exe.vbs, and executes it.
This file is detected as W32.Ainesey.A@mm!vbs.
Adds the values:
"MSIEXEC"="%Windows%\MSIEXEC32.exe"
"WinExec"=""%Windows%\Winexec.exe.vbs"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
Searches local hard drives and network drives for files with the following extensions and overwrites them:
.vbs; .vbe; .js; .jse; .css; .wsh; .sct; .hta; .mp3; .wma
The worm appends a .vbs extension to .js, .jse, .css, .wsh, .sct, .hta, .mp3, and .wma files.
Adds the values to some registry keys which decreases security settings in Microsoft Word, Excel, and PowerPoint.
Emails a copy of itself to the email addresses gathered from the system.
Automatic removal: Use RegRun Startup Optimizer to remove it from startup.
msinfo.exe
Backdoor.IRC.Aladinz.M is a backdoor Trojan horse that uses malicious scripts in the mIRC client software, allowing unauthorized remote access.
When it is executed, it performs the following actions:
Creates different files in %System32%\Wbem\Mof\Good\System:
@ - clean text log file
conn.dll - clean IRC dll file
csrss.dll - malicious IRC script detected as IRC Trojan
and others.
Attempts to copy itself as the following files:
C:\wupd.exe
%System32%\msinfo.exe
Adds the value:
"MSInfo" = "msinfo.exe"
"MSUpdate"="wupd.exe"
to the registry keys:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and "MSInfo" = "msinfo.exe" to
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Disables DCOM support by setting the value to:
"EnableDCOM" = "N"
in the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\EnableDCOM
Allows a remote attacker to control the computer. The functions provided include:
Retrieving information about the computer.
Stopping and restarting the Trojan.
Downloading and running files.
Scanning hosts for vulnerabilities using the Remacc.Dwremote.
EnabledDCOM value to "Y." in the system registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\EnableDCOM
And use RegRun Startup Optimizer to remove it from startup.
msinit.exe
Worm / Destructive trojan / Network trojan
Alters Win.ini. It is also found in Windows Startup Directory. Msinit spreads itself through open network shares and disables infected computers from the network. Most of the files are packed using different versions of UPX. Dnetc is a legitimite program that may have been installed previously. In this case it´s used illegally.
msjet32.exe
Remote Access
mskernel16.exe
Remote Access
Alters Win.ini and System.ini. A servereditor makes it possible for an intruder to change the port used and the UIN to notify upon a new succesful installation.
mskernel32.vbs
I-Worm.LoveLetter
This is the Internet worm that caused the global epidemic at the beginning of May 2000.
The worm spreads via e-mail by sending infected messages from affected computers.
The worm uses MS Outlook and sends itself to all addresses that are stored in the MS Outlook Address Book.
When run, the worm sends its copies by e-mail, installs itself into the system, performs destructive actions, downloads and installs a Trojan program.
The worm also has the ability to spread through the mIRC channels.
These files are registered in the Windows auto-run section in the system registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32 = MSKERNEL32.VBS
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL = Win32DLL.VBS
You can manually delete these key to disable this worm.
mslti64.exe
W32/Agobot-LZ is an IRC backdoor Trojan and network worm.
It is capable of spreading to computers on the local network protected by weak passwords.
It copies itself to the Windows system folder as MSLTI64.EXE and creates the following registry entries to run itself on startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Video Process
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Video Process
The Trojan runs continuously in the background as a service process, providing backdoor access to the computer.
Also modifies the HOSTS file located at %WINDOWS%\System32\Drivers\etc\HOSTS, mapping selected anti-virus websites to the loopback address 127.0.0.1
The worm may also terminate and disable various anti-virus and security-related programs and may delete network shares.
Automatic Removal: Use RegRun Startup Optimizer to remove it from startup.
msmachine.exe
Remote Access
msmdm.exe
I-Worm.Lentin or W32/Yaha@MM dangerous trojan. Before removing from hard disk you must restore default file extension for exe files.
msnetcfg.exe
Remote Access
May alter System.ini and/or Win.ini. One can choose to let Mosucker randomly decide what autostart method to use. Produces an error message while installing ""Could not find setuplog.bat"" which apparently is used for autostarting. It copies itself to $temp first, as a file named pkg*.exe, ""pkg"" being a fix string. It also copied itself to $windows/unin0686.exe.
msnmessengerupdate.exe
Troj/SdBot-BI is an IRC backdoor Trojan which allows unauthorised access and control of the computer from IRC channels.
Also known as Backdoor.SdBot.kd, W32/Spybot.worm.gen.b, Win32/SpyBot.WW, Backdoor.IRC.Bot
Upon execution Troj/SdBot-BI displays the fake error message
"'Error-38427 A valid dll file was not found, Windows is now deleting file."
In order to run automatically when Windows starts up the Trojan copies itself to the file:
mmsnmessengerupdate.exe in the Windows system folder,
and adds the following registry entry to ensure it is started on computer logon:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svshostdriver = msnmessengerupdate.exe
You can easy remove it with RegRun.
msnmsgs.exe
W32.Netsup.A@mm is a mass-mailing worm that sends itself to addresses gathered from the Microsoft Outlook address book.
The worm can also distribute itself through file-sharing networks.
Sends itself to all email contacts found in the the Outlook address book.
Large scale emailing may impact system performance.
W32.Netsup.A@mm can arrive as an attachment to an email with the following properties:
From: The From line will either be an address taken from the Microsoft Outlook address book or NetworkSupport@
.
Subjects: (One of the following)
Attachment: message.eml.pif
Body: A message sent could not be delivered to one or more of its recipients correctly. This is a permanent error. Attached is a copy of the original message.
Uses its own SMTP engine to email itself out to all contacts found in the Outlook address book.
The SMTP server the worm uses is taken from the Internet Account Manager settings.
Manual removal:
Navigate to the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
and delete the value: "msnmsgs" = "%System%\msnmsgs.exe"
msnservice.exe
Added as a result of the CARPET.C virus.
W32.HLLW.Carpet.C is a worm that attempts to spread through the A:\ drive.
It does the following:
Copies itself to: %Winir%\MSNService.exe
Adds the value:
"MSNService" = "%Winir%\MSNService.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Attempts to copy to itself to a:\Iswarya.gif.exe every 60 seconds.
Manual remove:
Navigate to the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete the value below:
"MSNService" = "%Windir%\MSNService.exe"
Automatical remove:
Use RegRun Startup Opimizer.
msnss.exe
W32.Gaobot.AUS
It is a repacked variant of W32.Gaobot.SN.
The worm spreads through open network shares and through backdoors that the Mydoom family of worms open.
Steals CD keys from a number of computer games.
Gives the creator backdoor access to the computer via IRC channel:
- Download and execute files
- Scan the network
- List, stop, and start processes
- Control the file system (Delete, create, and list files)
- Launch Denial of Service (DoS) attacks
- Perform port redirection
- Steal system information and email it to the attacker
Attempts to copy itself to computers with weak passwords.
Scans for computers that have been infected by Mydoom variants.
If it finds any, it uses the backdoor installed by Mydoom to copy itself onto the computer as Msgfix.exe.
Manual removal:
Navigate to the keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the values, if present:
"Configuration Loader"="msnss.exe"
"Configuration Loader"="msgfix.exe"
msreg.exe
This is Backdoor.Zinx.
Backdoor.Zinx is a backdoor Trojan Horse that allows a hacker to use your compter as proxy and
steals information. By default the Trojan opens ports 14728 and 24759.
http://securityresponse.symantec.com/avc...
Suggest to kill it by RegRun Startup Optimizer.
msrege.exe
Backdoor.Zinx is a backdoor Trojan Horse that allows a hacker to use your compter as proxy and steals information.
By default it opens ports 14728 and 24759.
The Trojan is launched using an .html file that contains malicious Visual Basic Script (VBS) code.
When the .html file is opened, it does following:
Drops the q.vbs file and executes it. The file does the following:
Drops x.exe and executes it, which terminates security programs.
Downloads q.exe from a predetermined Web site and executes it.
Drops and executes the following files:
%Windir%\5845.exe
%Windir%\msreg.exe
%System%\svchostc.exe
%System%\svchosts.exe
Downloads configuration information from predetermined Web sites, and then runs svchostc.exe and svchosts.exe with these configurations.
Connects to a predetermined SMTP server and sends email message to a certain email address.
The message contains following information:
- Operating system version
- Registered user name
- Organization name
- AIM user accounts
- ICQ accounts
- Trillian accounts
- Ghisler Windows Commander and Total Commander information
- SMTP and POP email accounts and passwords
Automatical remove:
Use RegRun Startup Opimizer.
And navigate to the %System% folder and delete the svchosts.exe and svchostc.exe files.
msregscn.exe
FTP server / IRC trojan
Kills the firewall atGuard. The hacker is able to restart or shut the server down through IRC.
msrexe.exe
Remote Access / Hacking tool / ICQ trojan
Alters Win.ini and System.ini. Generates several .exe-files with randomly choosen names. The only real change in this version is that the server was recompiled.
msscra.exe
I-Worm.Lentin or W32/Yaha@MM dangerous trojan. Before removing from hard disk you must restore default file extension for exe files.
mssearch.dll
This is CoolWebSearch parasite.
Read more:
http://www.kephyr.com/spywarescanner/lib...
Remove it from startup.
msserv.exe
I-Worm.Hadra
This is an Internet worm that spreads via e-mails being attached as an EXE file.
The worm copies itself to the Windows directory with the MSSERV.EXE name and registers that file in the Windows registry auto-run keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
msservice = %WinDir%\msserv.exe
The worm then stays in the Windows memory as a service, connects to MS Outlook and registers itself as MS Outlook "NewMail" and "ItemSend" events handler.
When a new mail has arrived, the worm looks as if it is its own message from another infected machine, and then deletes it.
When a message is being sent, the worm looks for already attached files, gets the first one, replaces it with its own copy with .EXE extenstion, and then sends it.
If the message has no attachment, the worm attaches itself with eight bytes of a random name and .EXE extenstion.
The worm disables several types of anti-virus protections, as well as immediately closes Registry editors upon their start-up.
Use RegRun Startup Opimizer for removal.
msset32.exe
Steals passwords / Keylogger
msskbtfm.exe
Remote Access / Downloading trojan
msslut32.exe
Worm.Win32.Sluter virus.
Spreads other local network.
More info at:
http://www.viruslist.com/eng/viruslist.h...
Remove it from startup by Start Control
mssmgrd.exe
WORM_SDBOT.JT
This is a memory-resident SDBOT variant.
It enables a remote user to access and compromise a target system.
It can also steal user and system information from a compromised system.
This worm propagates via network shares. It uses a list of user names and passwords to access a target system.
It exploits certain vulnerabilities to propagate across networks.
Manual removal:
Navigate to the key: HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>CurrentVersion>Run
and delete the entry or entries: Microsoft Update=”mssmgrd.exe”
Navigate to the key:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>CurrentVersion>RunServices
and delete the entry or entries: Microsoft Update=”mssmgrd.exe”
Navigate to the key:
HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Run
and delete the entry or entries: Microsoft Update=”mssmgrd.exe”
mssystem98.exe
FTP trojan
mstask32.exe
PWSteal.Bamer.A steals passwords when you visit Web sites the belong to certain banks.
One indication of possible infections is the display of the message:
Invalid Operation at 0000:FF15
Creates the following files:
%System%\Azip32.dll: A legitimate .dll file.
%System%\Mfc91.dll: Detected as Keylogger.Trojan.
%System%\Mstask32.exe: Detected as PWSteal.Bamer.A.
%System%\Ole32a.dll: Detected as Keylogger.Trojan.
%System%\Regxp.reg.
Adds the value: "RunOnce"="%system%\mstask32.exe"
to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Monitors for any Internet Explorer windows.
It logs the keystrokes to %Temp%\Recado.txt, if it finds any Internet Explorer containing any of the predefined URLs.
Emails the file, Recado.txt, to a server in Brazil, using the password stealer's built-in SMTP engine.
Please, remove it with RegRun Startup Optimizer.
mstaskmon.exe
I-Worm.Lentin dangerous trojan.
1. Restore default file extensions
2. Kill processes like msmdm.exe or similar, mstaskmon.exe.
3. Remove from startup.
4. Delete files.
Also you use free tool:
ftp://ftp.europe.f-secure.com/anti-virus/tools/yahatool.zip
mstconfig.exe
Name: Shtirlitz
Steals passwords
mstcpip.exe
W32/Sdbot-LR is a network worm for the Windows platform, allows a malicious user remote access to an infected computer through the IRC network.
When run the worm copies itself into the Windows system folder with the name mstcpip.exe and continues execution from this file.
Each time W32/Sdbot-LR is run it attempts to connect to a remote IRC server and join a specific channel.
The worm then runs in the background allowing a remote intruder to issue commands which control the computer.
Manual removal:
Navigate to the keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
and delete the value: TCPIP Protocol=mstcpip.exe
mstesk.exe
Remote Access / Keylogger / IRC trojan
Doly is hidden in several different programs: in Memory Manager, in an Interactive Game, and in a Downloading program. The trojan also starts using Windows Startup Directory.
msvbvm60.exe
Worm / Mail trojan / IRC trojan
The fails startas as follows: "F-Secure, Symantec and Microsoft, top leaders in IT technologies have discovered one very dangerous Internet worm called I-Worm. Universe in the wild." The five plug-in modules are encrypyed with RSA and includes: a mail plug-in that steals information from the Internet cache and mails it using a SMTP server; a feedback plug-in that mails the constructor; a payload plug-in that downloads a new wallpaper (Universe.jpg) and give Internet Explorer a new default page; a IRC plug-in altering mIRC; and a RAR plug-in enambling the uses of RAR compressed archives.
msvchost.exe
Trojan.Xombe is a Trojan horse that has two components: a 4,096 byte downloader and a 27,136 byte Trojan.
The downloader component will retrieve the Trojan file from a predetermined Web site.
The download component has been distributed in an unsolicited email, purporting to be a security update for Windows XP, sent by Microsoft.
The email has the following characteristics:
From: windowsupdate@microsoft.com
Subject: Windows XP Service Pack 1 (Express) - Critical Update.
Body: "Window Update has determined that you are running a beta version of Windows XP Service Pack 1 (SP1)." And so on.
Attachment: winxp_sp1.exe
When the winxp_sp1.exe is executed, it will download another Trojan component from a predetermined Web site and execute it.
When this secondary file is executed, it will perform the following actions:
Creates a copy of itself as %System%\msvchost.exe.
This contains functionality to submit system information, download, and execute additional files from the predetermined Web site.
Adds the value:
"msvcc" = "%system%\msvchost.exe"
in the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Contacts the predetermined Web site a second time and accesses several scripts and submits information.
To prevent this Trojan from running, outgoing HTTP connections to domain gamemaniacs.org can be blocked.
Remove it from startup by RegRun Startup Optimizer.
msvsrv.exe
Remote Access
Alters Win.ini.
msvxd.exe
This is a virus.
For removal read instructions:
http://www.bullguard.com/virus/92.aspx
mswctl32.exe
W32/Rbot-IE is a worm which attempts to spread to remote network shares.
It allows unauthorised remote access to the computer via IRC channels.
It spreads to network shares with weak passwords and via network security exploits as a result of the backdoor Trojan element receiving the appropriate command from a remote user.
Manual removal:
Navigate to the keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
and delete the value: Microsoft Windows Control = mswctl32.exe
mswin32.drv
JammerKillah12 trojan
mswin32.exe
Steals passwords / Trojan dropper / ICQ trojan
Drops the trojan The Thing 1.6.
mswinsck.exe
Mailsending trojan
Can mailbomb another user.
mswinsrv.exe
Backdoor.Mtron is a backdoor Trojan that records financial activity and sends it to a remote attacker using IRC.
It also gives the attacker the ability to download and run files on the infected computer.
Copies itself as %System%\MSWinSrv.exe
Attempts to delete all .txt files in the %Cookies% folder.
Records activity in windows that are associated with financial institutions.
It searches for open windows that have any of the following strings in the title bar:
Netbenefits; Fidelity; e-gold; Citibank; Citi
Logs keystrokes in these windows, and sends the information to the attacker using IRC.
No physical log of this information is kept on the local system - meaning that no file is created which stores this data.
Manual removal:
Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value: "MSWinSrv"="%system%\MSWinSrv.exe"
mswinupd.exe
Remote Access
May alter System.ini and/or Win.ini. One can choose to let Mosucker randomly decide what autostart method to use. Produces an error message while installing ""Could not find setuplog.bat"" which apparently is used for autostarting. It copies itself to $temp first, as a file named pkg*.exe, ""pkg"" being a fix string. It also copied itself to $windows/unin0686.exe.
msxxxx.exe
Worm / Destructive trojan / Network trojan
Alters Win.ini. It is also found in Windows Startup Directory. Msinit spreads itself through open network shares and disables infected computers from the network. Most of the files are packed using different versions of UPX. Dnetc is a legitimite program that may have been installed previously. In this case it´s used illegally.
msys32.exe
I-Worm.Masana is a worm virus spreading via the Internet as an attachment to infected emails.
The worm has bugs in its code; as a result some of its routines don't work.
Copies itself into the Windows system directory with under the msys32.exe name and registers this file in the system registry or in the SYSTEM.INI auto-run keys:
SYSTEM.INI
[boot]
shell=Explorer.exe msys32.exe -dontrunold
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Also, creates two additional files on disk that manage the exploit: ERunAsX.exe; ERunAsX.dll
Then creates another copy of itself under the name EEXPLORER.EXE name and by using DepPLoit exploit starts this copy with administrator rights.
To send infected messages the worm uses Windows MAPI functions.
To get victim email addresses Masana:
- looks for *.HTM* files and extracts email-like strings
- by using Windows MAPI functions it reads all unread messages from the Inbox and answers them.
This worm also:
- disables the MS Outlook Express 5.0 MAPISendMail warning.
- adds to the system the user named masyanechkaa with Admin privileges (under Windows NT)
Automatic removal: Use RegRun Startup Optimizer to remove it from startup.
mtmtask.dl
SubSeven 1.9 trojan
Copies to : c:\windows\system\mtmtask.dl
Default: System.ini
Shell=explorer.exe mtmtask.dl
Uses port 1243
mtx_.exe
Remote Access / Worm / Virus / Trojan dropper / Mail trojan / Downloading trojan
It tries to destroy up to eight different antivirus programs and makes it impossible to mail the AV company or visit its Web-site. Wsock32.dll is patched by the trojan. Whenever the user sends a mail, the trojan will mail another one to the same recipient with an attachment only. May be updated from the Internet.
music.exe
Worm / Downloading trojan
Hidden in a simple music and graphics program. Updates itself from the Web using plug-ins. It checks Windows Address Book and sends itself to every mail address found.
musirc4.72.exe
W32.Randex.AI is a network-aware worm that will attempt to connect to a predetermined IRC server to receive instructions from an attacker.
Spreads itself to other systems on the same network.
Allows unauthorized remote execution of commands on an infected computer.
Adds the value: "MusIRC (irc.music.com) client"="musirc4.72.exe"
to the registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
Attempts to authenticate itself to randomly generated IP addresses.
Copies itself to the following remote locations when a successful connection is made:
\ADMIN$\system32\musirc4.72.exe
\C$\WINNT\system32\musirc4.72.exe
Schedules itself to execute remotely created files.
Opens a connection to a specified Web site.
Connects to a specific IRC channel on a specific IRC server to receive remote instructions, such as:
- ntscan: Performs the scan of a specific computer with weak administrator passwords and copies itself to these computers.
- sysinfo: Retrieves the infected computer's information, such as CPU speed, memory, and so on.
Automatic removal: Use RegRun Startup Optimizer to remove it from startup.
