Additional remediation instructions for TrojanSpy:Win32/Worsmep.A
This threat may make lasting changes to a computer’s configuration that are NOT restored by detecting and removing this threat. For more information on returning an infected computer to its pre-infected state, please see the following article/s:
TrojanSpy:Win32/Worsmep.A is a trojan that modifies the infected computer's Hosts file, and monitors the user's Internet activities.
Upon execution, TrojanSpy:Win32/Worsmep.A displays the following dialog box:
If the user clicks the 'OK' button, the trojan creates the following file:
TrojanSpy:Win32/Worsmep.A also modifies the registry so that the above file is executed on each Windows start:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: “y_updater”
With data: "%ProgramFiles%\Yahoo\y_updater.exe"
Modifies Hosts file
modifies the Windows Hosts file. The local Hosts file overrides the DNS resolution of a website URL to a particular IP address. Malicious software may make modifications to the Hosts file to redirect specified URLs to different IP addresses. Malware often modifies a computer's Hosts file to stop users from accessing websites associated with particular security-related applications (such as antivirus for example).
TrojanSpy:Win32/Worsmep.A overwrites the Hosts file, located at <system folder>\drivers\etc\hosts, with the entries listed below:
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
This causes the browser to be directed to I.P. 188.8.131.52 when the user attempts to visit any of the escrow websites listed in the Hosts file. At the time of writing, the I.P is a phishing website that looks identical to the legitimate escrow.com website.
Monitors Internet activity
TrojanSpy:Win32/Worsmep.A also monitors Internet sessions, looking to see if the a certain server script is accessed. If so, the trojan logs information sent to the script and saves it to the file location C:\Windows\system32\logfiles\pcm_records.txt.