Trojan-PSW.Win32.Zombie.10
From Total Malware Info
It is a Trojan stealing the system passwords from victim machine and sending them by email. It is a PE EXE file compiled with Microsoft Visual C++ and packed with UPX packer. Executable has packed file size 61 530 bytes and 131 163 bytes unpacked.
Installation
This Trojan copies itself with the name systsrv.exe under the %System% folder. After the execution it changes the registry key to ensure that this file will be launched every time an exe file executed by the system.
[HKCR\exefile\shell\open\command] "(Default)"="%system%\systsrv.exe "%1" %*"
Payload
The Trojan looks for the *.pwl files on the system. PWL files are the files where Windows (95/98/Me) saves the system and dialup passwords inside. Then Trojan sends the files to the preconfigured email.
Removal instructions
- Delete the executable file
%system%\systsrv.exe
- Change the following registry key:
[HKCR\exefile\shell\open\command] "(Default)"="%system%\systsrv.exe "%1" %*"
With the key
[HKCR\exefile\shell\open\command] "(Default)"=""%1" %*"
- Use Kaspersky Anti-Virus to delete the Trojan. Update your antivirus databases and perform a full scan of the computer (download a trial version).
