sysmon.exe - Dangerous
sysmon.exe
Manual removal instructions:
Antivirus Report of sysmon.exe:
sysmon.exe
Worm.Win32.Bizex
This worm uses the Internet instant messaging system ICQ to spread via the Internet.
The worm sends ICQ users a message with a URL, which is linked to a file which contains procedures to automatically download
and execute the malicious component of the worm on the victim computer.
On connecting to the site http://www.jokeworld.xxx/xxx.html (x here is used to replace certain characters) the CHM-exploit-a is used.
The result of this is that a specially constructed CHM file is automatically executed on the victim computer.
This file contains another file contains TrojanDropper, a type of Trojan written in script language.
This Trojan extracts a file named WinUpdate.exe from itself to a range of system directories.
WinUpdate.exe is a Trojan program of the TrojanDownloader group, which downloads the main component of the worm from a remote site,
and writes it to the temporary directory under the name aptgetupd.exe.
Adds the value: "sysmon" = %system%\sysmon\sysmon.exe
to registry key: [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
Steals information relating to a range of financial services, such as Acceso a Banca por Internet, Accueil Bred.fr > Espace Bred.fr, American Express UK - Personal, etc.
It also steals data transmitted by HTTPS, relating to accounts of a variety of mail services such as Yahoo, etc.
All stolen information is sent by FTP to a remote server: www.ustrading.info
The worm extracts a number of .dll files from itself and installs them in the Windows system directory: java32.dll, javaext.dll, icq_socket.dll, ICQ2003Decrypt.dll
Remove it from startup with RegRun Startup Optimizer.
| sysmon.exe | Malware |
| sysmon.exe | Dangerous |
| sysmon.exe | High Risk |
This worm uses the Internet instant messaging system ICQ to spread via the Internet.
The worm sends ICQ users a message with a URL, which is linked to a file which contains procedures to automatically download
and execute the malicious component of the worm on the victim computer.
On connecting to the site http://www.jokeworld.xxx/xxx.html (x here is used to replace certain characters) the CHM-exploit-a is used.
The result of this is that a specially constructed CHM file is automatically executed on the victim computer.
This file contains another file contains TrojanDropper, a type of Trojan written in script language.
This Trojan extracts a file named WinUpdate.exe from itself to a range of system directories.
WinUpdate.exe is a Trojan program of the TrojanDownloader group, which downloads the main component of the worm from a remote site,
and writes it to the temporary directory under the name aptgetupd.exe.
Adds the value: "sysmon" = %system%\sysmon\sysmon.exe
to registry key: [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
Steals information relating to a range of financial services, such as Acceso a Banca por Internet, Accueil Bred.fr > Espace Bred.fr, American Express UK - Personal, etc.
It also steals data transmitted by HTTPS, relating to accounts of a variety of mail services such as Yahoo, etc.
All stolen information is sent by FTP to a remote server: www.ustrading.info
The worm extracts a number of .dll files from itself and installs them in the Windows system directory: java32.dll, javaext.dll, icq_socket.dll, ICQ2003Decrypt.dll
Remove it from startup with RegRun Startup Optimizer.
Dmitry Sokolov:
I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.
Since that time I work every day to fix the issues that antiviruses cannot.
If your antivirus have not helped you solve the problem, you should try UnHackMe.
We are a small company and you can ask me directly, if you have any questions.