Discovered: March 19, 2004
Updated: March 21, 2004 12:31:26 AM
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows 2000
Trojan.Linst is a trojan program attaches itself to Internet Explorer and sends information to a remote web server. When the trojan is installed, it creates the following files in the current folder, %Windir% folder and %System32% folder:
Zlib.dll
Groups.txt
Links.txt
HttpReq.dll
Dlinsth.dll
Dlinst0.dll
Bho.dll
It then creates the following registry entry so that it executes every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"cihost.exe"="%windir%\cihost.exe"
The trojan then loads Bho.dll, which is an adware program.
It also loads Dlinsth.dll, which hooks the Iexplore.exe process so Dlinsth.dll runs in the context of Internet Explorer.
Dlinst0.dll then sends the following information to a remote web server at http:/ /x-fuck.net:
Software installed
Environment variables
System settings
The trojan then proceeds to display advertisements based on the results returned by the web server.
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine