The "No Network is 100% Secure" series
- Trojan Horse (computer) Malware -
A White Paper

All rights reserved - may not be copied without permission
Easyrider LAN Pro, NOC Design Consultants

Contact Us


Got a green screen with a system stopped message?: Skip to the Vundo trojan section

What is a Trojan Horse?: A Trojan horse, also known as a Trojan, describes a class of computer malware that appears to perform a desirable function but in fact performs undisclosed malicious functions. These could include allowing unauthorized access to the host machine, logging the user's keystrokes (spyware) and even permitting complete control over the computer.

Trojan Horses (not technically a virus) can be easily and unwittingly downloaded. This is usually done by tricking the user into downloading and activating malevolent software under the guise of being an ActiveX plug-in, driver, game or some other "desired" piece of software or function. The Trojan, one activated, opens a back door that allows a hacker to control the computer of the user. In recent years, sophisticated designs have made it increasingly easier to trick users into installing Trojans onto their computers. Additionally, the Trojan removal process has become correspondingly more difficult. The term is derived from the classical story of the Trojan Horse.

A program named "waterfalls.scr" serves as a simple example of a Trojan horse. The author claims it is a free waterfall screen saver. When running, it instead unloads hidden programs, scripts, or any number of commands without the user's knowledge or consent. Malicious Trojan horse programs conceal and install a malicious payload on an affected computer.

The Zlob Trojan is another, much more insidious and destructive Trojan. When visiting a web site, the user is asked if they want to install an ActiveX control so that the user can view the site contact (often videos). At this point, the Trojan has already been downloaded to the user's computer. Clicking anywhere on the request pad (not just the "OK" button) will install and activate the Trojan.

Once installed, it displays popup ads with appearance similar to real Microsoft Windows warning popups, informing the user that their computer is infected with spyware. Clicking these popups trigger the download of a fake anti-spyware program (such as Virus Heat) in which the Trojan horse is hidden.

Some variants of the Zlob family, like the so-called DNSChanger, adds rogue DNS name servers to the Registry of Windows-based computers, network settings of Macintosh computers and attempts to hack into any detected router to change the DNS settings and therefore could potentially re-route traffic from legitimate web sites to other suspicious web sites.

The Trojan has also been linked to downloading atnvrsinstall.exe which uses the Windows Security shield icon to look as if it is an Anti Virus installation file from Microsoft. Having this file initiated can wreak havoc on computers and networks. One symptom is random computer shutdowns or reboots with random comments. This is caused by the programs using Scheduled Tasks to run a file called "zlberfker.exe".

PHSDL - Project Honeypot Spam Domains List tracks and catalogues Zlob spam Domains. Some of the domains on the list are redirects to porn sites and various video watching sites that show a number of inline videos. Clicking on the video to play activates a request to download an ActiveX codec which is malware. It prevents the user from closing the browser in the usual manner. Other variants of Zlob Trojan installation are in the form of computer scan that comes as a Java cab.

There is evidence that the Zlob Trojan might be a tool of the Russian Business Network or at least of Russian origin.

The Gumblar trojan: A recent attack known as Gumblar is continuing to blow all previous web-based malware out of the water, with a new infected web page found every 4.5 seconds. Troj/JSRedir-R is now found six times more often than its nearest rival Mal/Iframe-F. JSRedir-R, which has been found on high traffic legitimate Web sites, loads malicious content from third-party sites (including one called, inspiring some security vendors to dub the threat 'Gumblar') without users' knowledge. The malware can then be used to steal sensitive information for financial gain, to commit identity theft or to meddle with search-engine results. The core security problem is that most computer users still think there's no danger in surfing the web. But with legitimate sites often falling victim to these attacks, it's time to change that thinking. As a first step, it's essential to scan every Web site for malicious code before visiting it. However, a green check mark is no guarantee of safety. I recently clicked on a legitimate-looking link on a legitimate-looking web site and INSTANTLY received a pop-up message from my web shield antivirus software that a threat had been detected. Poof.. like that the trojan was on my PC. Luckily for me, AVG immediately dumped it in the quarantine vault. But had I not been using professional grade AV software that I automatically update every four hours, it could have been a much sadder story.

So how is that so many websites are being compromised lately? Often it is due to SQL injection errors or direct hacking into the back end of the hosting companies. But the most prevalent method seems to be compromised FTP passwords that belonged to the people that administer these websites. There is also a major vulnerability in the Microsoft IIS server software that is being exploited.

If you think you may have visited a compromised site and have been infected, you may want to have a look HERE.

SpySheriff is malware that disguises itself as an anti-spyware program, in order to trick the owner of the infected computer to buy the program, by repeatedly informing them of false threats to their system. SpySheriff often goes unnoticed by actual anti-spyware programs, and is difficult to remove from an infected computer.

SpySheriff cannot be simply deleted, as it reinstalls itself through hidden components on the computer. Trying to remove it with the Add/Remove programs feature has similar results, or may result in a system crash. A blue screen of death may occur. The program will stop the computer from connecting to the internet or a limited internet connection, and will display an error message reading "The system has been stopped to protect you from Spyware."

The desktop background can also be replaced with a blue screen of death, or a notice reading: "SPYWARE INFECTION! Your system is infected with spyware. Windows recommends that you use a spyware removal tool to prevent loss of data. Using this PC before having it cleaned of spyware threats is highly discouraged." SpySheriff has been known to create another user account, at the administrator level, to block access to programs and utilities for other users. If logged in as an administrator, it is sometimes possible to delete the SpySheriff account. It also acts to stop any attempt to do a System restore by preventing the calendar and restore points from loading. This prevents the user from being able to revert their computer to an earlier usable state. A System restore is however often possible after booting in Safe mode.

It blocks several websites, including the ones that have downloadable anti-spyware software, locks the user's Internet Explorer options, and It has also been implemented in pirated versions of Norton Antivirus. It will likely create the need for the use of a recovery disk in order to restore original factory specs.

Vundo, or the Vundo Trojan (also known as Virtumonde or Virtumondo and sometimes referred to as MS Juan) is a Trojan horse that is known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehavior including performance degradation and denial of service with some websites including Google and Facebook.

A Vundo infection is typically caused either by opening an e-mail attachment carrying the Trojan, or through a variety of browser exploits, including vulnerabilities in popular browser plug-ins, such as Java. Many of the popups advertise fraudulent programs such as Sysprotect, Storage Protector, AntiSpywareMaster, WinFixer, AntiVirus 2009, and AntiVirus 360.

Since there are many different varieties of Vundo Trojans, symptoms of Vundo vary widely, ranging from the relatively benign to the severe. Almost all varieties of Vundo feature some sort of pop-up advertising as well as rooting themselves to make them difficult to delete.

Most antivirus programs are not able to block this infection. Some antivirus programs such as McAfee VirusScan and VundoFix may be able to remove the Trojan, however sometimes it is not able to, depending on what happens and how much damage the Trojan did.

Think you may have the Vundo Trojan infection? We are currently getting dozens of hits per hour by people looking for information about a green screen and popup saying that their system has been halted. I suspect this is due to the currently (as of 1/16/10) unpatched vulnerability in Microsoft Internet Explorer that hackers are gleefully taking advantage of. Here's what the trojan looks like when you are infected:

desktop screen becomes all green with a box in the middle displaying the following message: "Your system is infected! System has been stopped due to a serious malfunction. Spyware activity has been detected. It is recommended to use spy ware removal tool to prevent data loss. Do not use the computer before all spy ware removed"

Clearing this trojan (Trojan.Vundo.H) is a pain but it can be done. First step is to do a scan using whatever AV software you happen to already have installed. Make sure your definitions are up-to-date although Vundo has been around for a while. You could get lucky and your existing AV software will get rid of it. However.... if your AV software was doing it's job you wouldn't have gotten infected in the first place, right? Failing that, try the following:

We've heard of good results using MBAM - Malwarebytes free Anti-Malware tool. You can download it from or alternately from

Follow the instructions to install and run MBAM, taking the defaults. Reboot in normal mode after the scan is completed. Run the scan a second time and verify that the system is now clean. You may also want to run something like ATF Cleaner to get rid of lingering temp files and other garbage. I've had good results from CCleaner. Both are free. If you still have problems or want to go really crazy, your can download and run SUPERAntiSpyware at

If you follow this procedure and have good results (or not) please drop us a note and we'll add your comments to this thread. Good luck!

Types of Trojan horse payloads are almost always designed to cause harm, but can sometimes be harmless. Payloads are classified based on how they breach and damage systems. The six main types of Trojan horse payloads are: Remote Access, Data Destruction, Downloader/dropper, Server Trojan (Proxy, FTP, IRC, Email, HTTP/HTTPS, etc.), Disable security software and Denial-of-service attack (DoS).

Methods of removal Since Trojan horses have a variety of forms, there is no single method to delete them. The simplest approach involves clearing the temporary internet files file and deleting it manually. Normally, antivirus software is able to detect and remove the Trojan automatically. Updated anti-spyware programs are also efficient against this threat. Most Trojans also hide in registries and processes. It is generally more difficult to remove a Trojan if the computer has been rebooted after the Trojan has been activated. Installing good quality anti virus software, keeping the virus definitions up-to-date and running a virus scam daily is the minimum that should be done to protect against Trojans.

Rogue Infiltrants Viruses that are displayed as "Anti-Virus programs" are known as Rogue Viruses. Rogue viruses have the prime intention of collecting money from a victim, and/or harming his or her computer with infections. The infections installed with rogue viruses make the user's computer slow, so they actually believe an infection exists, which it does. Trojan viruses frequently trick users with pop-up messages that get them to purchase "virus removal software" which of course does nothing of the kind.

Privacy-invasive software is a type of computer software that ignores user privacy and that is distributed with a specific intent, often of a commercial nature. Three examples of privacy-invasive software are adware, spyware and content hijacking programs. Keyloggers record user keystrokes in order to monitor user behavior. Self-replicating malware downloads and spreads disorder in systems and networks. Data-harvesting software that is programmed to harvest e-mail addresses, which results in spam e-mail messages that flood networks and mail servers with unsolicited commercial content (which are frequently scams).

Spyware is computer software that is installed surreptitiously on a personal computer to intercept or take partial control over the user's interaction with the computer, without the user's informed consent.

While the term spyware suggests software that secretly monitors the user's behavior, the functions of spyware extend well beyond simple monitoring. Spyware programs can collect various types of personal information, such as Internet surfing habits, sites that have been visited, but can also interfere with user control of the computer in other ways, such as installing additional software, and redirecting Web browser activity. Spyware is known to change computer settings, resulting in slow connection speeds, different home pages, and/or loss of Internet or functionality of other programs. In an attempt to increase the understanding of spyware, a more formal classification of its included software types is captured under the term privacy-invasive software.

In response to the emergence of spyware, a small industry has sprung up dealing in anti-spyware software. Running anti-spyware software has become a widely recognized element of computer security best practices.

Employee monitoring software is a means of employee monitoring, and allows company administrators to monitor and supervise all their employee computers from a central location. It is normally deployed over a business network and allows for easy centralized log viewing via one central networked PC.

Techniques include: Logging all keystrokes along with the window name they are typed. Capturing and logging sent and received E-mails. Logging all websites visited. Monitoring and logging all applications that a user runs. Record the documents and files a user opens and views.

Malware: Software is considered malware based on the perceived intent of the creator rather than any particular features. Malware includes computer viruses, worms, Trojan horses, most rootkits, spyware, dishonest adware, crimeware and other malicious and unwanted software. Malware's most common pathway from criminals to users is through the Internet. Primarily via email and WWW web sites.

You might be surprised at all of the creepy, unknown "stuff" that's running on your servers and workstations. This is especially true if you don't have a process in place to audit your computing equipment periodically. We've seen (many) cases where production servers had been exploited and a rootkit run on them. And in some cases these servers were unknowing IRC chat servers with hundreds of on-going connections! Vulnerable web servers that were exploited and had subdomains created on them by hackers that housed hundreds of links to porn sites. And worse. Workstations with viruses, Trojans and bots that were sending out SPAM by the trainload. And all the user knew was that the PC had "gotten slower" recently.

Easyrider LAN Pro can come in and audit your enterprise in an organized way to see what's going on. Think of the performance boosts you are going to see once all of those non-production programs and services are removed from your network! Having firewalls and anti virus software deployed is no guarantee that there aren't LOT'S of infected computing gear in your enterprise. In fact, almost all of the sites where we have found major issues did indeed have these provisions installed and IT thought their network was 100% secure. Surprise! :(

About the Author

Frank Saxton is a computer network security engineer and Easyrider LAN Pro principle. Home-based in Portland, Oregon, Frank has been designing remote diagnostic and network enterprise monitoring centers since the late 1970s. Prior to becoming a professional systems engineering consultant in 1990, Frank had a 20 year career in computer systems field engineering and field engineering management. Frank has a BSEE from Northeastern University and holds several certifications including Network General's Certified Network Expert (CNX). As a NOC design engineer and architect, Frank works regularly with enterprise-class monitoring tools such as HP Openview Operations, BMC Patrol and others. In his enterprise security audit work, Frank uses sniffers and other professional grade monitoring tools on a daily basis.

Next in the security white paper series:

How Cyber Criminals will mature over the next ten years
Are you vulnerable to drive-by exploits?
High value sites recent hacks
IT employment challenges of the 21st century
Employment reference checking white paper
Competency Certifications White Paper
Firewall White Paper
Virus White Paper
GhostNet White Paper
Password White Paper
Digital Identification Certificates White Paper
Cryptography White Paper
OpenID White Paper
Intrusion Detection Systems IDS White Paper
Rootkit White Paper
Unnecessary Windows XP Services White Paper
Scareware White Paper
Exaflood Internet Brownout White Paper
Cloud Computing White Paper
Proxy Server White Paper
Personal Computer PC Security White Paper
Conficker White Paper
Phishing White Paper
DNS Poisoning White Paper
SPAM White Paper
Best Practices White Paper
Denial of Service DoS White Paper
Port Scanning White Paper
Monitoring Basics 101 White Paper
Monitoring Basics 102 White Paper
Monitoring Basics 103 White Paper
Virtual Machine Security White Paper
Aurora vulnerability White Paper
Shelfware White Paper
Outsourced IT White Paper

Easyrider LAN Pro Consulting services:

Network Security Audit and PC Tune-up service

- Proxy server installation and configuration
- Enterprise security consultations
- Disaster recovery planning
- Disaster recovery services
- Capacity, migration and upgrade planning
- Build and deploy central syslog server
- Build trouble ticket systems
- Design and build monitoring environments
- Design and build Network Operations Centers (NOC)
- HP Openview, BMC Patrol consulting

Last modified January 16, 2010
Copyright 1990-2010 Easyrider LAN Pro