Home Education E-BooksTravel Troubleshooting Linux Contact Us About Us
Troubleshooting Tips And Steps
Windows & Hardware Tips
Information On Viruses

virus file



Trojan Characteristics

NB: The first variant of this Trojan is detected with the 4190 DATs. Detection of a later variant requires the latest daily DATs - link below. (Detection will be included in next full DAT release.) When the server component of this Remote Access Trojan (dubbed 'AceBot' by its author) is executed on the victim machine, the Trojan copies itself to the Windows System directory as a randomly named executable, deleting the original file. For example:


In testing the Trojan was observed to disable the personal firewall in use. Strings within the Trojan suggest that the following personal firewalls will be bypassed:

Sygate Personal Firewall
Tiny Personal Firewall
ZoneAlarm Pro

The Trojan sets the following Registry key to ensure it is executed at subsequent system startups (adjust the filename as necessary):

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion_ \Run "Microsoft Diagnostic" = C:\WINDOWS\SYSTEM\TJSTBU.EXE

Once running, the Trojan attempts to connect to an IRC server, in order to join a channel and listen for remote commands. Strings within the server suggest a variety of functions may be performed remotely. These include the following:

Shutdown server (self kill)
Issue channel message
Update server
Run file
Download files
Send packets
Logoff machine
Shutdown machine

NB: Due to the wide variety of functions offered by this Remote Access Trojan, the payload danger is highly variable. Also, since this Trojan appears to be able to update itself, other functions may also be possible.

Code within the server suggests that it is able to spread between machines via the local network using shared drives. If successful, the worm attempts to copy itself to the following location (directory is hardcoded) on the remote machine:

\WINDOWS\Start Menu\Programs\Startup\MSSG.EXE

Network propagation was not observed during testing, suggesting that this infection method is triggered by a remote command.


The existence of a oddly named .EXE file of length 163,840 bytes in the Windows system directory. Disabled personal firewall

Method Of Infection

The Trojan infects a machine upon its initial execution. Thereafter, it is executed at system startup thanks to a Registry hook.

If you are fed up with any virus and not getting solution of it. mail us on amgroup@skillsheaven.com and please provide all the detail about virus.