Trojan:Win32/Enchanim is a trojan that attempts to stop multiple security-related processes for the purpose of downloading and running other malicious code such as Worm:Win32/Gamarue.F.

System changes

The following system changes may indicate the presence of this malware:

• Certain security programs are disabled after running the malware
• The presence of a file named "7af3996f" in the %TEMP% folder

Trojan:Win32/Enchanim is a trojan that attempts to stop multiple security-related processes for the purpose of downloading and running other malicious code such as Worm:Win32/Gamarue.F.

Installation

This trojan is installed by other malware and is present as a randomly named file in the Windows system folder. The malware utilizes code injection in order to hinder detection and removal. When Trojan:Win32/Enchanim executes, it inject its code into running processes, including the following, for example:

• csrss.exe
• explorer.exe
• lsass.exe
• svchost.exe

Payload

• cfp.exe
• avp.exe
• kaspersky.exe
• op_mon.exe
• mcafee.exe
• mcagent.exe
• mcshield.exe
• mctray.exe
• mcsvhost.exe
• mfevtps.exe
• mfefire.exe
• zonealarm.exe
• egui.exe
• nod32.exe
• ekrn.exe
• nod32kui.exe
• msseces.exe
• spiderui.exe
• drwagntd.exe
• drwagnui.exe
• spiderml.exe
• spidernt.exe
• avscan.exe
• avnotify.exe
• avgnt.exe
• ashdisp.exe
• AVGIDSMonitor.exe
• avgnsx.exe
• avgcsrvx.exe
• avgrsx.exe
• avgw.exe
• avgamsvr.exe
• avg.exe
• avgwdsvc
• norton.exe
• ccsvchst.exe
• psctrls.exe
• pavfnsvr.exe
• pshost.exe
• avengine.exe

Analysis by Jeong Mun

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

• Microsoft Security Essentials
• Microsoft Safety Scanner

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.