Find a Partner
This window is encrypted for your security.
Need help? Ask the community or hire an expert.
Go to Avira Answers
Spreads using different IRC servers.
Windows NT, Windows 2000, Windows XP, Windows Server 2003
This backdoor Trojan is dropped by the email worm Mydoom.U.
When activated, it makes the following registry entry:
It creates two copies in the following directories:
The following files are created also:
%sysdir%\dx32cxel.sys (4096 bytes)
%sysdir%\dx32cxconf.ini (17 bytes)
%sysdir%\SVKP.SYS (2368 bytes)
The 'hosts' file is modified, so that the websites of many antivirus providers can not be accessed. The 'hosts' file is usually:
The following IP addresses are contacted:
The above registry entry ensures that the file 'dx32cxel.sys' starts as service. When it starts, it will hide active processes and files from the user.
The following message appears, if there are any active monitoring programs, such as Filemon or Regmon:
"Application cannot be run with debugger or monitoring tool(s) loaded!
Please unload it and restart the application."
Manual Remove Instructions
To remove the backdoor Trojan, the following registry entry has to be deleted:
After restarting Windows, the above mentioned files must be deleted.
Description inserted by Crony Walker on Tuesday, June 15, 2004