mark2 Posted November 7, 2003 Report Share Posted November 7, 2003 Troj/Peper-A is a Trojan which downloads files from the internet to the victim's computer. Troj/Peper-A drops several copies of itself, with system and hidden attributes set, within the Windows system folder as randomly-named EXE files and adds an entry to the registry at HKLM\Software\Microsoft\Windows\CurrentVersion\Run to run itself on system restart. Note, the entry in the registry may point to a different copy of the Trojan after every reboot. Troj/Peper-A also drops a hidden encrypted data file within the Windows system folder which contains information about the copies of the Trojan on the disk. Troj/Peper-A has two copies of itself running at any time, one to download files from the internet and one to monitor the current processes IDs to make sure it is running. Thus, if one copy is terminated using the Task Manager, another copy is immediately started. SophosA bit of a pig to get rid of.examples foundC:\WINDOWS\System32\DeiZ64.exeC:\WINDOWS\System32\UdwY0IeN.exeand O4 - HKLM\..\Run: [3GD84D64292KBW] C:\WINDOWS\System32\Vxk9.exeThe above filenames are random. To clear itwith thanks to speedy and radio at http://www.net-integration.net/cgi-bin/forum/ikonboard.cgiRun this uninstaller:http://home01.wxs.nl/~kleyn080/uninst.exeWhen done, use the following tool to delete the files themselves:http://www.mjc1.com/files/mo/drpeper.htmlDownload Drpepertobackup.exe, save to disk, and doubleclick the file; it will self extract to c:\.Find the "C:\drpeper\Find backup and Delete Peper files.vbs" file and double click it.On the first prompt, copy and paste: DeiZ64.exe.(filename) and hit ok.On the second, paste: UdwY0IeN.exe(filename) and hit ok again.The presence of a process like Vxk9.exe running should hit the alarm bells. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.