Win32/Genme [Threat Name] go to Threat

Win32/Genme.H [Threat Variant Name]

Category trojan
Size 13824 B
Detection created Sep 27, 2011
Detection database version 6498
Aliases Trojan-Dropper.Win32.Mixus.gen (Kaspersky)
  TrojanDropper:Win32/Mixus.G (Microsoft)
  BackDoor-CKG.gen.trojan (McAfee)
Short description

Win32/Genme.H is a trojan that changes the home page of certain web browsers. The trojan serves as a proxy server.


When executed, the trojan copies itself into the following location:

  • %system%\­mds.exe

The trojan may create the following files:

  • %system%\­msdor.dll (3072 B, Win32/Genme.A)
  • %system%\­son.exe (3072 B, Win32/Genme.H)

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "mds.exe" = "%system%\­mds.exe"
    • "msn.exe" = "%system%\­son.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "mds.exe" = "%system%\­mds.exe"
    • "msn.exe" = "%system%\­son.exe"

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    • "Start Page" = ""
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    • "Start Page" = ""
    • "Default_Page_URL" = ""
Other information

The trojan opens the following URLs in Internet Explorer :

  • http://212.%removed%/index_type.php?Client=%ipaddress%&Name=%variable%

A string with variable content is used instead of %ipaddress%, %variable% .

The trojan opens a random TCP port. The trojan serves as a proxy server.

Please enable Javascript to ensure correct displaying of this content and refresh this page.