Win32:Atraps-pf

Posted: July 6, 2012

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	9/10
Infected PCs:	17

First Seen:	July 6, 2012
OS(es) Affected:	Windows

Win32:Atraps-pf is a PC threat that's often installed (and reinstalled as necessary) by rootkits that include backdoor Trojan capabilities. Win32:Atraps-pf exhibits no symptoms of its attacks other than alerts from appropriately-perceptive anti-malware programs, but SpywareRemove.com malware researchers always recommend treating Win32:Atraps-pf, like all components of a rootkit-based attack, as a high-level PC threat to be exterminated quickly and thoroughly. Because Win32:Atraps-pf is associated with multiple types of PC threats that may steal confidential information or install other types of malicious software, you should always scan your PC thoroughly with updated and competent anti-malware programs if you suspect that Win32:Atraps-pf or related PC threats are on your hard drive. Afterward, it's also highly recommended for you to take any extra actions that are necessary to protect bank accounts and other forms of online security that may have been compromised by Win32:Atraps-pf or associated PC threats.

Win32:Atraps-pf: the Most Noticeable Part of a Stealth Attack Against Your Computer

Win32:Atraps-pf is often noted as the one noticeable symptom of a multiple component attack against an infected PC, as Win32:Atraps-pf is one of the most likely components of an associated rootkit to be detected by anti-malware software. While allowing your anti-malware programs to contain Win32:Atraps-pf is always advised, failure to identify and delete related PC threats can result in Win32:Atraps-pf being reinstalled within a matter of minutes. This often leads to a prominent symptom of infection by Win32:Atraps-pf: anti-malware alerts regarding Win32:Atraps-pf that appear every few minutes, even if Win32:Atraps-pf was quarantined and/or deleted successfully just a short while ago.

Other PC threats that are related to Win32:Atraps-pf include:

Trojan.Dropper.BCMiner, a PC threat that installs other software and may facilitate 'BitCoin mining,' a crime that uses the infected PC's resources to create artificial revenue.
Win64:Sirefef-A and other versions of the ZeroAccess rootkit, a PC threat that can modify your search engine results, disable critical security features, install other PC threats and use advanced techniques to conceal its presence from security programs.

Other Clues to Spotting Win32:Atraps-pf... and Why You Should Be Worried About It

While Win32:Atraps-pf-related attacks can include many other possibilities besides the ones noted below, the following issues have been recently-noted by SpywareRemove.com malware researchers as associated with the Win32:Atraps-pf infection:

A desktop image that's locked to a preset image (typically to an inaccurate warning message that's used by associated ransomware or fake security software).
A sharp reduction in various security features for your web browser, including certificate-handling functions.
Disabled security programs, including basic tools like the Windows Task Manager.
File-viewing settings that are changed to conceal files with the Hidden attribute.

Some of these changes may be reversible by suitable anti-malware programs, while others may require that you reinstall your OS or restore it from a clean backup. SpywareRemove.com malware researchers especially note a high probability for Win32:Atraps-pf infections to compromise the Windows Registry.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

thotheng0.tmp

File name: thotheng0.tmp
Size: 88.57 KB (88576 bytes)
MD5: 659df26407dc4a37aa6bcf039dcbbde0
Detection count: 75
File type: Temporary File
Mime Type: unknown/tmp
Group: Malware file
Last Updated: July 24, 2012

file.dll

File name: file.dll
Size: 94.2 KB (94208 bytes)
MD5: 95301c3f871e703d749fc29877842bef
Detection count: 74
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
Last Updated: July 24, 2012

%System%\drivers\[RANDOM CHARACTERS].sys

File name: %System%\drivers\[RANDOM CHARACTERS].sys
File type: System file
Mime Type: unknown/sys
Group: Malware file

%Temp%\[RANDOM CHARACTERS]

File name: %Temp%\[RANDOM CHARACTERS]
Group: Malware file

C:\WINDOWS\system32\[RANDOM NAME].dll

File name: C:\WINDOWS\system32\[RANDOM NAME].dll
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\{Value}HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'Yes'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = '0'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "CertificateRevocation" = '0'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = '1'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoDesktop" = '1'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop "NoChangingWallPaper" = '1'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '.zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = '1'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden" = '0'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden" = '0'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\..{RunKeys}HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[RANDOM].exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[RANDOM]"

One Comment

apollo martinez says:

October 24, 2015 at 12:10 am

look your instruction about removing the atraps virus is not perfect. you always show the illustration having no complete details, i have so many experience about the usb eating virus and files hidden to no name folder. here my intructions
1. adminitrator Autoruns,exe, 2. uncheck the suspected virus, 3. add to mcafee visurscan console, 4. reboot computer, 5. administrator Autoruns.exe, 6. delete suspected virus, 7. administrator Commmand Prompt, 8. navigate usb directory and type Attrib *.* -h -a -r -s /s /d, 9. delete all files except the folder has no name. 10. transfer all files inside the folder no names, 11. delete the folder no names.
There are many virus to hide the external usb files not only the atraps works.