Zhelatin.102

Aliases:	Generic.Zhelatin.A, WORM/Zhelatin.Gen (Antivir), Trojan.Peed.HQP (BitDefender), Trojan.Packed.187 (DrWeb), Email-Worm.Win32.Zhelatin.kx (KAV)
Date added:	2007-10-16

Details

Trojan files:

• kernelw.sys (Rootkit driver; MD5: CC43010C40EC6907F2D0526C55495C16) 7712 bytes
• kernelwind32.exe (main trojan file; MD5: 2CF0C3330E6E02B9BBFE31F4F2F77156) 18126 bytes

This trojan installs the rootkit C:\Windows\system32\kernelw.sys to hide its files and processes. It then attempts to download additional trojan files from the Internet. The hidden trojan files include kernelwind32.exe, which resides in the C:\Windows\system32 folder. This is a copy the trojan makes of itself when executed.

Removal

1. Restart your computer in Safe Mode (Note: The trojan may block restart attempts - if so use "shutdown -t 0" from a command prompt)
2. Delete the file C:\Windows\system32\kernelw.sys
3. Delete the file C:\Windows\system32\kernelwind32.exe
4. Run a full scan with TrojanHunter and have it clean out anything it finds
5. Restart your computer normally