Technical Details

This Trojan modifies the system configuration. The Trojan itself is a Windows PE EXE file 8704 bytes in size


When launching, the Trojan creates a file with a random name composed of numbers and a BAT extension in the Windows temporary directory. This file will be launched for execution, then deleted, and the Trojan will cease running.

When launched, this packed file creates a system registry configuration file called c:\reg.reg. The configuration from this file will be transferred to the system registry, and the file will then be deleted.

These modifications to the system registry will cause the following message to be displayed every time the victim system is started:

The Internet Explorer home page will be altered to Additionally, the function of the left and right mouse keys will be swapped, and the speed at which the computer reacts to a double click on the mouse and to keys being depressed will be altered.

Removal Instructions

  1. Delete the original Trojan file (its location will depend on how it initially penetrated the victim machine).
  2. Configure mouse and keyboard parameters.
  3. Delete the following registry values:
    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
     "LegalNoticeCaption"="YoU HaVe BeeN HacKeD"
     "LegalNoticeText"="Please contact 1-800-784-2433"

  4. Update your antivirus databases and perform a full scan of your computer (download a trial version of Kaspersky Anti-Virus).