Trojan.Dropper.LV worm

September 21, 2005

The Trojan.Dropper.LV worm has infected several computers on campus. This trojan installs several spyware and adware programs on an infected computer, as well as a copy of the W32.Mytob.KM virus.

At this time, Symantec does not have a definition for this worm. Symantec AntiVirus will detect some of the spyware and adware that is installed with this worm, but not the worm itself.

Symptoms

  • Installs several viruses and spyware/adware packages including:
    • Trojan.ISTsvc
    • Adware.MaxSearch
    • Adware.Shorty
    • Adware.ISTbar
    • Adware.180Solutions
    • Adware.180Search
    • Adware.Bullseye
    • Adware.BargainBuddy
    • Adware.SurfAccuracy
    • Adware.YourSiteBar
    • Adware.LinkMaker
    • Adware.SideFind
    • Adware.PowerScan
    • Adware.ZangoSearch
  • Disables Windows Firewall
  • Disables Windows Automatic Updates
  • Prevents access to many security and anti-virus related websites (Symantec, Trend Micro)

Removal

Until Symantec releases a repair tool for this package, we have researched a method that seems to work well to clean up the infection.

  1. Reboot your computer in Safe Mode with Networking.
  2. Download HijackThis from the SpywareInfo page (http://www.spywareinfo.com/~merijn/files/HijackThis.exe).
  3. Save the file to your desktop.
  4. Double-click the HijackThis icon on your desktop.
  5. If you are opening HijackThis for the first time, click OK
    .
  6. Click the Do a system scan only button.

    When the scan is complete, a list of items will appear in the window.
  7. Place a check in the boxes beside any of the following items that appear:
    • 04 - HKLM\..\Run:[Windows GMT] wingmt.exe
    • 04 - HKLM\..\RunServices:[Windows GMT] wingmt.exe
    • 04 - HKLM\..\Run:[services32] C:\Program Files\Common Files\Windows\mc-58-12-0000099.exe
    • O4 - HKLM\..\Run: [http://www.lienvandekelder.com] \Lien Van de Kelder.exe
    • O4 - HKLM\..\RunServices: [http://www.lienvandekelder.com] \Lien Van de Kelder.exe
  8. Click the Fix checked button.
  9. If you found any of the items above, your computer's security has been compromised. This virus package turns off Automatic Updates and can turn off your Windows firewall, leaving your computer vulnerable to other attacks. You need to run VTNet 2006 to properly secure your computer.

If HijackThis does not find any of these entries, your computer has not been infected with this virus. If your computer seems to be having issues, you may have other viruses on your computer. Follow the steps in the Clean it up section of the Antivirus site, specifically scanning for viruses and spyware.

NOTE: You will still need to remove the spyware programs. You can remove many of the spyware packages by following the steps in the Clean it up section of the Antivirus site, specifically scanning for viruses and spyware.

Trend Micro has released further information for this worm:
http://www.trendmicro.com/vinfo/virusencyclo/default5.php?VName=TROJ%5FDROPPER%2ELV

http://www.trendmicro.com/vinfo/virusencyclo/default5.php?VName=WORM%5FMYTOB%2EKM