1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Trojan.Semnager Installer Download

System Infected: Trojan.Semnager Installer Download

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects the Trojan.Semnager activity on the system.

Additional Information

Trojan.Semnager is a Trojan horse that may modify the Web browser on the compromised computer.
When the Trojan is executed, it creates the following files:
%ProgramFiles%\Settings Manager\systemk\favicon.ico
%ProgramFiles%\Linkey\ChromeExtension\ChromeExtension.crx
%ProgramFiles%\Linkey\Helper.dll
%Temp%\nsb1C\Helper.dll
%ProgramFiles%\Linkey\Uninstall.exe
%Temp%\nsb1C\Uninstall.exe
%Temp%\nsy3\Helper.dll
%Temp%\nsy3\Starter.exe
%ProgramFiles%\Linkey\IEExtension\iedll64.dll
%ProgramFiles%\Linkey\IEExtension\iedll.dll
%ProgramFiles%\Linkey\log.log
%ProgramFiles%\Settings Manager\systemk\Internet Explorer Settings.exe
%ProgramFiles%\Settings Manager\systemk\sysapcrt.dll
%ProgramFiles%\Settings Manager\systemk\syskldr.dll
%ProgramFiles%\Settings Manager\systemk\syskldr_u.dll
%ProgramFiles%\Settings Manager\systemk\systemkbho.dll
%ProgramFiles%\Settings Manager\systemk\systemk.dll
%ProgramFiles%\Settings Manager\systemk\SystemkService.exe
%ProgramFiles%\Settings Manager\systemk\systemku.exe
%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb

The Trojan then connects to the following remote locations:
[http://]preved.aztecbe.com/lo[REMOVED]
[http://]service.aztecbe.com/install_sta[REMOVED]

The Trojan may then perform the following actions
Install a plugin called "Linkey" to the Internet Explorer and Chrome Web browsers.
Change the browser's default search engine to default-search.net
Change the browser's home page to [http://]www.default-search.net[REMOVED]
Prevent users from changing the browser's home page or default search engine.

Affected

  • Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

Response

No further action is required but you may wish to perform some of the following actions as a precautionary measure.
Run the Norton Power Eraser. (home users)
Run the Symantec Power Eraser. (business users)
Update your product definitions and perform a full system scan.
Identify suspicious files.
Submit suspicious files to Symantec for analysis.

If you believe that the signature is reported erroneously, please read the following:
Change the behavior of Symantec IPS signatures.
Report a potential false positive to Symantec.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube