Trojan.Framar

Printer Friendly Page

Discovered: December 03, 2003
Updated: December 05, 2003 2:48:50 PM
Systems Affected: Windows

Trojan.Framar is a trojan that terminates processes of antivirus and security software and opens a port to allow remote access.

Discovered: December 03, 2003
Updated: December 05, 2003 2:48:50 PM
Systems Affected: Windows

Trojan.Framar is a trojan program that terminates the processes of antivirus and security applications. When the trojan is executed, it creates the following copy of itself:
%Windir%\Avsynmgr32e.exe

It then creates the following registry entry so that it executes every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"\MSMcAfeee"="%Windir%\Avsynmgr32e.exe"

Next, the trojan terminates the following processes if they are running:
ZONEALARM.EXE
ZAPRO.EXE
VSMON.EXE
MINILOG.EXE
FRW.EXE
CPD.EXE
IAMAPP.EXE
IAMSERV.EXE
BLACKICE.EXE
PERSFW.EXE
SMC.EXE
SUBSEVEN_FIREWALL_VERSION_1.0.EXE
PCCPFW.EXE
VSHWIN32.EXE
AVCONSOL.EXE
MGAVRTCL.EXE
MGAVRTE.EXE
NAVAPW32.EXE
CCEVTMGR.EXE
NISUM.EXE
CCPXYSVC.EXE
AVSYNMGR.EXE
WEBSCANX.EXE
ALOGSERV.EXE
CMGRDIAN.EXE
APVXDWIN.EXE
PAVPROXY.EXE
PAVFIRES.EXE
REALMON.EXE
PCCCLIENT.EXE
PCCIOMON.EXE
POP3TRAP.EXE
TMPROXY.EXE

Finally, the trojan listens on TCP port 23435 for connections to allow remote access.