Windows Security Tutorials - Herong's Tutorial Examples - v3.01, by Dr. Herong Yang
heb.exe - The Trojan Installer Program
This section describes what is the Trojan installer program heb.exe and how McAfee VirusScan failed to stop it from installing malicious executable programs with random names in the system folder.
I continued my inspection of the McAfee VirusScan log file, OnAccessScanLog.txt, as mentioned in the previous section and found what the Trojan installer program heb.exe did to the system:
< date< 6:01:07 PM Deleted hyang C:\WINDOWS\system32\heb.exe C:\WINDOWS\SYSTEM32\PCAXYOQRXA.EXE PWS-Mmorpg.gen (Trojan) < date< 6:01:07 PM Deleted hyang C:\WINDOWS\system32\heb.exe C:\WINDOWS\system32\pcaxyoqrxa.exe\pcaxyoqrxa.exe\0000d500.EXE PWS-Mmorpg.gen (Trojan) < date< 6:01:07 PM Deleted hyang C:\WINDOWS\system32\heb.exe C:\WINDOWS\SYSTEM32\CXBYQPRAYB.EXE PWS-Mmorpg.gen (Trojan) < date< 6:01:07 PM Deleted hyang C:\WINDOWS\system32\heb.exe C:\WINDOWS\system32\cxbyqprayb.exe\cxbyqprayb.exe\0000d500.EXE PWS-Mmorpg.gen (Trojan) < date< 6:01:08 PM Cleaned hyang C:\WINDOWS\system32\xybzqcaxyo.exe c:\windows\system32\de02f764.dll PWS-OnlineGames.s (Trojan)
As you can see from the log records, as soon as the JavaScript Trojan downloader succeeded downloading and saving the Trojan installer program heb.exe, this PWS Trojan tried to install multiple malicious programs on to the host system.
At the beginning, the installer program, heb.exe tried to install an executable file to the system folder with random file names like, PCAXYOQRXA.EXE. McAfee VirusScan was able to detect and delete 3 of them.
However within 2 seconds of trying, heb.exe managed to install 1 malicious program in the system folder: C:\WINDOWS\system32\xybzqcaxyo.exe. The last log record shows that xybzqcaxyo.exe was executed and it tried to install a malicious DLL file in the system folder.
Why McAfee VirusScan failed to stop the Trojan installer, heb.exe, saving this xybzqcaxyo.exe file in the system folder? I don't know the correct answer. But my guesses are: (1) xybzqcaxyo.exe did not contain any virus signature strings known to McAfee; (2) the Trojan fired too many file saving threads to jam the McAfee program and caused it to fail.
Table of Contents
About This Windows Security Book
Windows 8: System Security Review
Windows 8: System Security Protection
Windows 8 Defender for Real-Time Protection
Windows 7: System Security Review
Windows 7: System Security Protection
Windows 7 Forefront Client Security
Norton Power Eraser - Anti-Virus Scan Tool
McAfee Virus and Malware Protection Tools
Spybot - Spyware Blocker, Detection and Removal
Keeping IE (Internet Explorer) Secure
Malware (Adware, Spyware, Trojan, Worm, and Virus)
HijackThis - Browser Hijacker Diagnosis Tool
IE Add-on Program Listing and Removal
"Conduit Search" - Malware Detection and Removal
"Tube Dimmer", "Scorpion Saver" or "Adpeak" Malware
Malware Manual Removal Experience
Vundo (VirtuMonde/VirtuMundo) - vtsts.dll Removal
Trojan and Malware "Puper" Description and Removal
VSToolbar (VSAdd-in.dll) - Description and Removal
►PWS (Password Stealer) Trojan Infection Removal
What Is PWS (Password Stealer) Trojan?
JS/Downloader.gen - JavaScript Downloader Malware
PWS-Mmorpg.gen - A Password Stealer Trojan
►heb.exe - The Trojan Installer Program
.exe and .dll Files Installed by the Trojan
my.exe - A Second PWS Trojan Infection
.exe and .dll Files of the Second Trojan
Explorer.EXE Trying to Install a Trojan
AccessProtectionLog.txt Log File Records
ATF-Cleaner.exe - Temporary File Remover
Trajon Files Left in the System Folder
Removing PWS Trojan Startup Entries
Command Processor AutoRun - Registry Value
UserInit - Winlogon Registry Key
js.users.51.la - hosts File Entries
Image File Execution Options - Registry Key