Trojan.Hugesot

[TJ]

Trojan.Hugesot is a Trojan horse that downloads remote files and attempts to start a command shell on the compromised computer.

Once executed, Trojan.Hugesot performs the following actions:

   1. Adds the value:

      "sysdll" = "[TROJAN FILE NAME]"

      to the following registry subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

      so that it is executed every time Windows starts.

   2. Connects to following URL and downloads configuration data:

      [http://]news.hugesoft.org/[REMOVED]/interl.html

   3. Attempts to perform the following actions:

          * Download and execute files
          * Upload files
          * Start a command shell

   4. Downloads a file from following URL and save it as %CurrentFolder%\syshost.exe:

      [http://]news.hugesoft.org/[REMOVED]/interl.gif

      Note: %CurrentFolder% is a variable that refers to the folder where the risk was originally executed.

   5. Attempts to contact the following server to receive further commands from a remote attacker:

      [http://]news.hugesoft.org/[REMOVED]/start.asp

   6. Sends system information to the following server:

      [http://]news.hugesoft.org/[REMOVED]/auto.asp

REMOVAL INSTRUCTIONS
See: http://securityresponse.symantec.com/avcenter/venc/data/trojan.hugesot.html

To delete the value from the registry
   1. Click Start > Run.
   2. Type regedit
   3. Click OK.
   4. Navigate to the subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

   5. In the right pane, delete the value:

      "sysdll" = "[TROJAN FILE NAME]"

   6. Exit the Registry Editor.