Follow:

 

VirTool:WinNT/Sefprop.A


VirTool:WinNT/Sefprop.A is a trojan that prevents certain processes from executing and hides certain registry subkeys. The trojan may be installed by other malware such as Exploit:Win32/CVE-2010-4398.


What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

VirTool:WinNT/Sefprop.A is a trojan that prevents certain processes from executing and hides certain registry subkeys.
Installation
This trojan may be installed by other malware such as Exploit:Win32/CVE-2010-4398 and may be present as the following file:
C:\1.sys
Payload
Hides processes
VirTool:WinNT/Sefprop.A hides the following processes in memory:
  • IEProtector.exe
  • POPwad.exe
 
Blocks processes
The trojan prevents the following processes from running:
  • inst.exe
  • 360Safe.exe
  • 360sd.exe
  • 360rp.exe
  • 360rps.exe
  • 360tray.exe
  • Client.exe
  • SuperKiller.exe
 
Hides and deletes registry subkeys
The trojan hides the following registry subkey from view:
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\IEProtect
 
The trojan also deletes the following registry subkey:
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\360Safetray
 
Analysis by Vincent Tiu

Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).

Prevention


Alert level: Severe
First detected by definition: 1.101.147.0
Latest detected by definition: 1.101.147.0 and higher
First detected on: Mar 25, 2011
This entry was first published on: Mar 29, 2011
This entry was updated on: Apr 17, 2011

This threat is also detected as:
No known aliases