Peper.A trojan

[mark2]

Troj/Peper-A is a Trojan which downloads files from the internet to the victim's computer.

Troj/Peper-A drops several copies of itself, with system and hidden attributes set, within the Windows system folder as randomly-named EXE files and adds an entry to the registry at

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

to run itself on system restart.

Note, the entry in the registry may point to a different copy of the Trojan after every reboot.

Troj/Peper-A also drops a hidden encrypted data file within the Windows system folder which contains information about the copies of the Trojan on the disk.

Troj/Peper-A has two copies of itself running at any time, one to download files from the internet and one to monitor the current processes IDs to make sure it is running. Thus, if one copy is terminated using the Task Manager, another copy is immediately started.

Sophos

A bit of a pig to get rid of.

examples found

C:\WINDOWS\System32\DeiZ64.exe

C:\WINDOWS\System32\UdwY0IeN.exe

and

O4 - HKLM\..\Run: [3GD84D64292KBW] C:\WINDOWS\System32\Vxk9.exe

The above filenames are random.

To clear it

with thanks to speedy and radio at http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi

Run this uninstaller:

http://home01.wxs.nl/~kleyn080/uninst.exe

When done, use the following tool to delete the files themselves:

http://www.mjc1.com/files/mo/drpeper.html

Download Drpepertobackup.exe, save to disk, and doubleclick the file; it will self extract to c:\.

Find the "C:\drpeper\Find backup and Delete Peper files.vbs" file and double click it.

On the first prompt, copy and paste: DeiZ64.exe.(filename) and hit ok.

On the second, paste: UdwY0IeN.exe(filename) and hit ok again.

The presence of a process like Vxk9.exe running should hit the alarm bells.