Aliases: W32/Benpao.Trojan
Variants: N/A

Classification: Malware
Category: Trojan Horse

Status: Inactive
Spreading: Slow
Geographical info: N/A
Removal: Hard
Platform: W32
Discovered: 17 Feb 2003
Damage: Medium

Characteristics: The W32.Benpao.Trojan program is malware capable of stealing usernames and passwords and other important authentication information. This Trojan can also modify the registry so that when files with extensions .ini, .exe, .chm, .txt, scr or .reg are opened, the Trojan will be executed as well. This malware is written in the programming language Visual Basic and packed with UPX.

More details about W32.Benpao.Trojan

Once the W32.Benpao.Trojan program successfully infects a computer system, it will copy itself to subfolders in the C:\ Windows drive. This Trojan will copy itself with the filenames d.exe, e.exe, w.exe, f.exe and kx.exe. It will likewise copy itself as the ExploreB.exe in the C:\ Windows\ System folder, and then execute the copy. Next, the Trojan will alter several key values found in different registry entries to allow the Trojan to execute each time the system starts. The Trojan will then go on to create the file C:\ DebugFI, which will be used for storing the important information, related to files that it has copied to the system. It will then try to end the processes kavsvc9x.exe, kav9x.exe, kavsvcui.exe, ravmon.exe, smenu.exe, and watcher.exe.

The malware will likewise try to send the infected machine’s usernames, passwords and other details to a remote hacker via email. To remove all the trace files of the W32.Benpao.Trojan program, users can conduct a full system scan using an antivirus program, preferably after updating its virus definitions. Follow the instructions provided by the antivirus program to completely delete the malware. Most importantly, the altered registry values should be restored back to their original values and the values added by the malware should be deleted.