Win32/ServStart [Threat Name] go to Threat

Win32/ServStart.CH [Threat Variant Name]

Category trojan
Size 12800 B
Aliases Trojan:Win32/Comisproc (Microsoft)
  Trojan.Panddos (Symantec)
Short description

The trojan serves as a backdoor. It can be controlled remotely.


When executed, the trojan copies itself into the following location:

  • %windir%\­WinHelp32.exe

The trojan registers itself as a system service using the following name:

  • Serumt32

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Serumt32]
    • "Type" = 16
    • "Start" = 2
    • "ImagePath" = "%windir%\­WinHelp32.exe"
    • "DisplayName" = "Windows Sonl System"
    • "ObjectName" = "LocalSystem"
    • "Description" = "Windows Shrj System for X32 windows desktop"

This causes the trojan to be executed on every system start.

After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan collects the following information:

  • CPU information
  • memory status
  • operating system version

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains an URL address. The HTTP, TCP protocol is used.

It can execute the following operations:

  • update itself to a newer version
  • download files from a remote computer and/or the Internet
  • run executable files
  • open a specific URL address

Please enable Javascript to ensure correct displaying of this content and refresh this page.