There is a Trojan that is capable of completely disabling the most recent version of ZoneAlarm, Symantec AntiVirus, and the Windows XP firewall. This Trojan appears to be a new version of Haxdoor. It downloaded itself into my computer without displaying any security approval boxes. All that I saw was the following window:
The download completed in only a few seconds, so I didn t have time to press the cancel button. The file that was downloaded was C:\0.exe which appears to be the installer program for the Trojan. I have captured the installer program in a ZIP file and uploaded it to http://www.bluealan.com/virus.zip so security experts could analyze this file and help stop this Trojan.
The installer program created the following files in my C:\Windows\System32 folder:
These files cannot be seen from My Computer due to the Trojan s ability to hide itself. Once the Trojan was fully installed, it automatically disabled ZoneAlarm Pro. I ran both Symantec AntiVirus and Microsoft AntiSpyware but they didn t find the Trojan. I also tried to start the Windows XP firewall, but it was also disabled.
The Trojan was running under the System process. It began sending and receiving data across the Internet. Since the Trojan contains a password stealer and a keylogger, I would guess that it was sending that information to the people that created the Trojan. I used a packet sniffer, and saw that data was being sent from the Trojan to the following IP addresses:
Both of these IP addresses go to an apache server without an index page. Does anybody think that these IP addresses belong to the people who created this Trojan? How can these people be traced? Since the Trojan contains spyware, I think the people who created this are receiving a lot of personal information from computers that have been infected.
I have tried several different AntiVirus and AntiSpyware programs, but I couldn t find any that could remove this Trojan. However, I did find a way to manually remove it. Here are the steps that I took to remove this Trojan:
1. Download and install the free Unlocker application from http://ccollomb.free.fr/unlocker/
2. Delete the file C:\0.exe. If you get an error message, right-click on 0.exe and click on Unlocker . Then click on Unlock All and close the Unlocker application. You should now be able to delete the file.
3. Start Microsoft Word and click on the Open button. Go to the folder C:\Windows\System32
4. In the File name: box, type avpe64.sys and press Open .
5. Press ctrl+A and then press the delete key.
6. Now click on the Save button. If you see a warning about the text format, press Yes .
7. Repeat steps 3-5 for the files "klgcptini.dat", "qz.dll", "qz.sys", and "stt82.ini".
8. Restart your computer.
9. Go to My Computer, and go to the C:\Windows\System32 folder.
10. Right-click on avpe32.dll and then click on Unlocker .
11. Click on Unlock All and then close the Unlocker application.
12. Delete the file avpe32.dll and then delete the files "klgcptini.dat", "qz.dll", "qz.sys", and "stt82.ini".
13. Empty your Recycle Bin. Now the Trojan should be removed from your computer.
I hope that Zone Labs will investigate this Trojan and find a way to protect ZoneAlarm users from it. Will they read the information in this post, or should I e-mail them?
Operating System:Windows XP Home Edition
Product Name:ZoneAlarm Pro