A trojan is a term used to describe a type of malware designed to harm computer systems. Trojans are not self-replicating. Some trojans are capable of autonomous penetration through computer protection systems aiming to invade and infect the system. Usually trojans penetrate a system along with a virus or a worm in the result of careless behavior of the user or through an active attack attempt.
Trojan password stealers (Trojan-PSW) are trojans designed to steal passwords and other confidential data without using keystroke logging. Such trojans have means to extract passwords from the files used by applications to store them.
To disinfect a system compromised with malware belonging to the family Trojan-PSW.Win32.Kates (also known as W32/Daonol) use Kaspersky Anti-Virus installed on the PC. If you do not have Kaspersky Anti-Virus installed, we recommend to install a Kaspersky Lab application or use the utility KatesKiller.exe in order to remove malware belonging to the family Trojan-PSW.Win32.Kates.
Disinfection of an infected system
- Download the archive KatesKiller.zip and extract it into a folder on the infected (or potentially infected) PC using an archiver program (for example, WinZip).
- Run the KatesKiller.exe file.
- Wait for the scan and disinfection to finish. No reboot is needed after disinfection.
Optional parameters to run the utility from command line
-l <file_name> - write log to the file.
-v – detailed logging (must be used in combination with the parameter -l)
-s – scan in “silent” mode (without opening console box).
-y – when the utility finishes, its window will be closed
Signs of Trojan-PSW.Win32.Kates infection
- Antivirus software detects an infected file with random name and extension. When deleted, such file immediately restores (it does not refer to Kaspersky Lab applications. Kaspersky Anti-Virus has a special disinfection procedure).
- explorer.exe terminates at an attempt to start any of the following applications:
- Registry editor (regedit.exe);
- Command line (cmd.exe);
- Total Commander.
- Files with the following extensions cannot be started:
- The following functions are hooked in almost all processes:
An experienced user can track the hooks using the utility Gmer, for example:
or Rootkit Unhooker:
When run without parameters, the utility:
- Detects and kills malicious threads;
- Detects function hooks, and unhooks functions:
- Detects and removes files and registry keys belonging to the malicious program.
- No reboot is needed after disinfection.