Home Malware Programs Fake Warning Messages I-Worm.Trojan.b

I-Worm.Trojan.b

Posted: May 14, 2009

Typically you will receive a Windows Security Center pop-up mentioning the infection called I-Worm.Trojan.b, soon followed by the suggestion to download and install rogue anti-spyware program System Security 2009 in order to combat this threat. This pop-up is usually displayed on a webpage you are redirected to due to affiliated trojans altering your browser settings, causing unwanted diverts to malicious domains. It is on such insecure websites that you may receive this misleading alert message, which reads:

"Windows Security Center" Virus (I-Worm.Trojan.b) was found on your computer! Click OK to install System Security Antivirus."

Clicking "OK" will automatically install System Security 2009, which will be executed and run each and every time your computer starts up. This will lead to further fake notifications flooding your system, along with fraudulent infection reports, all in order to scare you into purchasing and installing the full version of System Security 2009.

File System Modifications

  • The following files were created in the system:
    # File Name
    1 %\Documents and Settings%\All Users\Application Data\00308937\00308937.exe
    2 %\Documents and Settings%\All Users\Application Data\00308937\config.udb
    3 %\Documents and Settings%\All Users\Application Data\00308937\pc00308937ins
    4 %UserProfile%\Desktop\System Security 2009.lnk
    5 %UserProfile%\Start Menu\Programs\System Security\System Security 2009 Support.lnk
    6 %UserProfile%\Start Menu\Programs\System Security\System Security 2009.lnk

Registry Modifications

  • The following newly produced Registry Values are:
    HKEY..\..\..\..{Subkeys}HKEY_LOCAL_MACHINE\Software\00308937HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\..{RunKeys}HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "00308937"HKEY_LOCAL_MACHINE\Software\[APPLICATION]\Microsoft\Windows\CurrentVersion\Uninstall..{Uninstaller}SystemSecurity2009

One Comment

  • James says:
    May 14, 2009 at 9:38 pm

    We operate three websites our clients are complaining of getting the Iworm trojan b when going to our sites. What are your recommendations to locate and extract from our server, if it is on our server. We run Apache server. We cant afford to lose the clients!!!!!!

    Thanks any help would be appreciated. PLEASE!!

Loading...