hi jennifer,
here's some info on how to delete this trojan:
the alias' for this trojan are:
Troj/Zasil-A (Sophos), Trojan.Zasil (Symantec), TrojanClicker.Win32.Zasil (AVP)
Method Of Infection:
This trojan connects to a remote website to retrieve "further instructions". At the time of analysis, the trojan simply retrieved another URL to access. It may store the contents of remote files retrieved in the Windows directory, such as winrtu32.exe.
Indications Of Infection
Presence of the file REGISTRY.EXE in the Windows directory (note this filename is not the same as REGEDIT.EXE) with an icon typically associated with the Registry Editor:
As the trojan uses a remote website, the effects of an infection may vary as the site is modified.
Virus Characteristics
A dropper of this trojans is believed to have been SPAMmed to many users. This trojan connects to a geocities.com user's site to retrieve a URL. It then navigates to that URL, passing the infected user's IP address and the string "Second,email_zasil". The trojan copies itself to the WINDOWS (%WinDir%) directory as REGISTRY.EXE and creates a registry run key to load itself at startup:
Windows 9x/ME:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "Registry Services" = C:\WINDOWS\REGISTRY.EXE <(Delete this Key)
Windows NT/2000/XP:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Policies\Explorer\Run "0" = %windir%\registry.exe <(Delete this Key)
An additional key is also created:
HKEY_LOCAL_MACHINE\Software\Microsoft\DownloadManager <(Delete this Key)
The trojan is dropped by a file, often named MINENEW.EXE.PIF or MINENEW.MPG.PIF. <(Delete this file)
The dropper extracts a JPG file to the %Temp% folder and opens it. <(Delete this file)
This image is of pornographic nature.
for more info on trojans and their removal to www.thepublicworks.com security section and link to trojans, trojan ports, security dogs, firewalls and security, simovits consulting.
hope this helps, all the best
murve
