Trojan.Linst

Printer Friendly Page

Discovered: March 19, 2004
Updated: March 21, 2004 12:31:26 AM
Systems Affected: Windows

Trojan.Linst is a trojan program attaches itself to Internet Explorer and sends information to a remote web server.

Discovered: March 19, 2004
Updated: March 21, 2004 12:31:26 AM
Systems Affected: Windows

Trojan.Linst is a trojan program attaches itself to Internet Explorer and sends information to a remote web server. When the trojan is installed, it creates the following files in the current folder, %Windir% folder and %System32% folder:
Zlib.dll
Groups.txt
Links.txt
HttpReq.dll
Dlinsth.dll
Dlinst0.dll
Bho.dll


It then creates the following registry entry so that it executes every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"cihost.exe"="%windir%\cihost.exe"

The trojan then loads Bho.dll, which is an adware program.

It also loads Dlinsth.dll, which hooks the Iexplore.exe process so Dlinsth.dll runs in the context of Internet Explorer.

Dlinst0.dll then sends the following information to a remote web server at http:/ /x-fuck.net:
Software installed
Environment variables
System settings

The trojan then proceeds to display advertisements based on the results returned by the web server.