TROJ_SEFNIT.SME
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Trojan
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This Trojan may arrive bundled with malware packages as a malware component. It may be dropped by other malware. It may be unknowingly downloaded by a user while visiting malicious websites.
It requires its main component to successfully perform its intended routine.
TECHNICAL DETAILS
Varies
DLL
Yes
07 Apr 2011
Drops files, Creates files
Arrival Details
This Trojan may arrive bundled with malware packages as a malware component.
It may be dropped by other malware.
It may be unknowingly downloaded by a user while visiting malicious websites.
Installation
This Trojan drops the following copies of itself into the affected system:
- %Program Files%\Common Files\Watson\Watsonsubscriber.dll
(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)
It creates the following folders:
- %Program Files%\Common Files\Watson
(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)
Autostart Technique
This Trojan adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{c0533d96-89de-45b9-b2a5-7ee5a10c51bb}\InprocServer32
Default = "%Program Files%\Common Files\Watson\Watsonsubscriber.dll"
Other Details
This Trojan requires its main component to successfully perform its intended routine.