M December 19, 2008 Virus Alert - TROJ_DLOADER.GAX
TROJ_DLOADER.GAX
   
Virus type: Trojan
Destructive:  No
Aliases: Packed.Win32.PolyCrypt.b (Kaspersky), New Malware.ek !! (McAfee), Trojan Horse (Symantec), TR/Dldr.DNSChanger.Gen (Avira), Mal/EncPk-AW (Sophos),
Pattern file needed: 5.543.00
Overall risk rating: Low
Reported infections: Low
Damage Potential: High
Distribution Potential: Low

Description :

This Trojan may be downloaded from remote sites by other malware. It may be dropped by other malware.

It drops files/components.

It creates registry key(s)/entry(ies) to enable its related spyware to run at every system startup.

It drops a file detected by Trend Micro as TSPY_GAMETHIE.SE. As a result, routines of the dropped file may also be exhibited on the affected system.

It deletes itself after execution.

Solution :

Note: To fully remove all associated spyware, perform the clean solution for TSPY_GAMETHIE.SE.

Identifying the Malware Files

  1. Scan your computer with your Trend Micro antivirus product.
  2. Note the path and file name of all files detected as TROJ_DLOADER.GAX.

Trend Micro customers need to download the latest virus pattern file before scanning their computer. Other users can use Housecall, the Trend Micro online threat scanner.

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Restarting in Safe Mode

This malware has characteristics that require the computer to be restarted in safe mode. Go to this page for instructions on how to restart your computer in safe mode.

Removing Random CLSIDs from the Registry

This procedure removes random CLSID keys created by this malware. You will need the file name(s) detected earlier.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. Press CTRL+F.
  3. In the Find dialog box, type the file name of the malware detected earlier.
    (Note: Make sure that only the data checkbox is selected, then click Find Next.)

    4. Find.

  4. Once found, in the right panel, check if the result is the following value-data pair:
    (Default) = "{Malware path and file name}"
  5. If yes, in the left panel, locate the CLSID where the data is under.
    (Note: The CLSID is the characters enclosed in curly brackets {}. If the value-data pair is not found under a CLSID key, repeat steps 2-5.)
  6. Right-click on the located CLSID in the left panel and press Delete.
  7. Repeat steps 2 to 6 until the Finished searching through the registry dialog box appears.

Removing Other Malware Entries from the Registry

This solution deletes/modifies registry keys/entries added/modified by this malware. Before performing the steps below, make sure you know how to back up the registry and how to restore it if a problem occurs. Refer to this Microsoft article for more information about modifying your computer's registry.

  1. Still in Registry Editor, in the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>
    CurrentVersion>Explorer>ShellExecuteHooks
  2. In the right panel, locate and delete the entry or entries whose data value is the noted CLSID earlier.
  3. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows>CurrentVersion>ShellServiceObjectDelayLoad
  4. In the right panel, locate and delete the entry or entries whose data value is the malware path and file name of the file(s) detected earlier.
  5. Close Registry Editor.

Deleting the Malware File(s)

  1. Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
  2. In the Named input box, type:
    %System%\{Random name}.nls
     (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
  3. In the Look In drop-down list, select the drive that contains Windows, then press Enter.
  4. Once located, select the file then press SHIFT+DELETE.

Running Trend Micro Antivirus

If you are currently running in safe mode, please restart your computer normally before performing the following solution.

Scan your computer with Trend Micro antivirus and delete files detected as TROJ_DLOADER.GAX. To do this, Trend Micro customers must download the latest virus pattern file and scan their computer. Other Internet users can use HouseCall, the Trend Micro online virus scanner.

Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network or home PC.


For additional information about this threat, see Technical Details.