Category: Trojan Horse
Active & Spreading
Asia, North and South America, and some parts of Europe and Australia
15 Mar 2004
The W32.Tuoba.Trojan application utilizes the exploit of Internet Explorer to add a server on the web to the internet zone and to re-route the traffic of the network to that server.
W32.Tuoba.Trojan Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a trojan horse removal tool to automatically clean W32.Tuoba.Trojan from your computer.
More details about W32.Tuoba.Trojan
When this Trojan Horse was executed, Run.exe adds the 188.8.131.52 to the Intranet local zone from the Internet Explorer using the modified values in the key of the registry. The requests will be redirected to particular Web sites using the 184.108.40.206 address. This was being done by overwriting the File of the Hosts. The lines added to the file will appear to the aimed web sites the 220.127.116.11 freshvideogals.com, 18.104.22.168 auto.ie.searchforge.com, 22.214.171.124 allneedsearch.com, 126.96.36.199 find.microgirls.com, 188.8.131.52 link.startmake.com, 184.108.40.206 best.royalsearch.net, 220.127.116.11 in.webcounter.cc, 18.104.22.168 aifind.info, 22.214.171.124 default-homepage-network.com, 126.96.36.199 www.2fastsearch.net, 188.8.131.52 www.couldnotfind.com, 184.108.40.206 tits.hardcore4ever.net, 220.127.116.11 www.alfa-search.com, 18.104.22.168 www.dreamwiz.com, 22.214.171.124 www.omega-search.com, 126.96.36.199 nativehardcore.com, etc.
When the W32.Tuoba.Trojan was installed when user visits a Web page that is malicious. The we b page utilizes exploit of the Internet Explorer so it can perform the file .php that is a CHM malicious file. The Content.php have three files which are the Index.html, Htm2chm_about, and Htm2chm_explorer. The Index.html utilizes the exploit of the Internet Explorer on downloading file, Run.exe to the Program of the Drive C and then performs it. XMLid.Exploit was the file being detected. The Htm2chm_about is not totally malicious. Htm2chm_explorer is also not a malicious. The additional lines added to the file that will appear to the web sites targeted are 188.8.131.52 aifind.cc, 184.108.40.206 awebfind.biz, 220.127.116.11 find4u.net,
18.104.22.168 itseasy.us, 22.214.171.124 searchmyrequest.com, 126.96.36.199 www.008i.com, 188.8.131.52 search.ieplugin.com, 184.108.40.206 qwertysearch123.biz, 220.127.116.11 just.find-itnow.com etc.