Follow:

 

Win32/Horst


Microsoft security software detects and removes this threat.
 
Win32/Horst is a collection of discrete trojan components that perform various tasks. The initial downloading component may be distributed passively via the eMule/eDonkey peer to peer network. The initial downloading component downloads and installs a second downloader component. This second downloader is responsible for installing the various other functional components of the Horst family. Many of the Horst components are designed to send spam.


What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find hidden malware.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Win32/Horst is a collection of discrete trojan components that perform various tasks. The initial downloading component may be distributed passively via the eMule/eDonkey peer to peer network. The initial downloading component downloads and installs a second downloader component. This second downloader is responsible for installing the various other functional components of the Horst family. Many of the Horst components are associated with sending spam.
Installation
While functionally similar, the actual installation details of related variants of the Horst family may differ. The following installation example is fairly typical.
 
TrojanDownloader:Win32/Horst.I may be offered with a filename that infers that it is a software crack (for example “PDFIn PDF to DWG Converter 2008 crack0.exe”). When a user downloads and executes this file, the trojan injects itself into the ‘svchost.exe’ process and then downloads a file to %TEMP%\s[num]wt.exe (where [num] is a numeric string, for example 's2350wt.exe'). This downloaded file is the main downloading component and is detected as TrojanDownloader:Win32/Horst.H.
 
When executed, it copies itself to “%windir%\system\smvss.exe” and injects itself to the svchosts.exe process. The registry is then modified to ensure that this component is executed at each Windows start:
Adds value: " devenv"
With data: "%windir%\system\smvss.exe /w"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
Once installed, this main component is used to download and install additional components that may then be used to perform different functions. These functions may include registering e-mail accounts with providers such as Google, AOL and Hotmail, sending spam and spreading via eDonkey/eMule P2P networks (see below for additional detail). Additional components are downloaded and executed from the %Temp% directory.
Spreads Via…
eDonkey/eMule P2P File Sharing Networks
One discrete Horst component is used to distribute the initial trojan downloader by offering it for download via the eDonkey/eMule P2P file sharing networks. The downloader may be offered under the guise of a software crack or key generator. For example, in the wild, the following filenames have been used for this component:
  • “PDFIn PDF to DWG Converter 2008 crack0.exe”
  • “DAEMON Tools 4.12 serial0 keygen0.exe”
  • “Norton Ghost 14 serial0 keygen0.exe”
Horst components may use the following eDonkey servers:
77.247.178.244
77.247.178.245
87.230.83.44
89.248.174.84
193.138.205.25
193.138.221.210
193.138.221.213
193.138.221.214
Payload
Sends Spam
Horst tries to send spam by manipulating different free online e-mail providers. The content of such spam is typically associated with online pharmacies.
Additional Information
Horst components may contact the following domains during their operations:
stat-run.com
hasteman.com
tateterop.com
upseek.org
statadd.com
zablen.com
medbod.com
 
Analysis by Scott Molenkamp

Symptoms

The following can indicate that you have this threat on your PC:

  • The presence of the following files:

    “%windir%\system\smvss.exe”
    %TEMP%\s[num]wt.exe (or similar)
  • The presence of the following registry modification:

    Adds value: " devenv"
    With data: "%windir%\system\smvss.exe /w"
    To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Prevention


Alert level: Severe
This entry was first published on: Jul 07, 2008
This entry was updated on: Jul 16, 2015

This threat is also detected as:
No known aliases