Global Sites América Latina Australia/New Zealand Belgique/België Bosna i Hercegovina Brasil Bulgariya Ceská Republica Danmark Deutschland España F.Y.R.O.M. France Greece Hong Kong Hrvatska Italia Latvija Lietuva Magyarország México Nederland Norge Polska Portugal România Russia Slovenija Slovensko Suomi Sverige Turkiye Ukraine United Kingdom/Ireland United States/Canada
Find a product Client/Server Suite Client/Server - SMB Client/Server/Messaging Suite Client/Server/Messaging - SMB Control Manager HouseCall Home Network Security InterScan AppletTrap InterScan eManager InterScan Messaging Security InterScan VirusWall InterScan VirusWall - SMB InterScan WebProtect ICAP InterScan WebProtect ISA InterScan Web Security Suite NeatSuite Network VirusWall 300 Network VirusWall 1200 Network VirusWall 2500 OfficeScan Corp. Edition PC-cillin Internet Security PC-cillin for Wireless PortalProtect ScanMail eManager ScanMail for Microsoft Exchange ScanMail for Domino ServerProtect for EMC ServerProtect for Linux ServerProtect for NetApp ServerProtect Windows/NetWare Spam Prevention Solution
Security Advisories
Weekly Virus Report
Virus Map
Virus Encyclopedia Hoaxes
Test Files
General Virus Information
White Papers
Subscriptions
Webmaster Tools
TrendLabs - R&D
Home > Security Info > Virus Encyclopedia > TROJ_BLAZEFIND.A
TROJ_BLAZEFIND.A
Overview Technical Details
QUICK LINKS Solution | Understanding New Pattern Format
--------------------------------------------------------------------------------
Virus type: Trojan
Destructive: No
Pattern file needed: 1.954.13
Scan engine needed: 6.810
Overall risk rating: Very Low
--------------------------------------------------------------------------------
Reported infections: Low
Damage Potential: Medium
Distribution Potential: Low
--------------------------------------------------------------------------------
Description:
This Trojan installs itself in the background while other processes are running. It downloads an executable file from the site
http://omniscient.blazefind.com without the user's consent.
It creates the folder %Program Files%\WindowsSA where it puts all its downloaded components.
This Trojan may be used to download another malware and execute it on the targeted system.
It runs on Windows 95, 98, ME, NT, 2000, and XP.
Solution:
AUTOMATIC REMOVAL INSTRUCTIONS
To automatically remove this malware from your system, please use Trend Micro Damage Cleanup Engine and Template.
MANUAL REMOVAL INSTRUCTIONS
Restarting in Safe Mode
» On Windows 95
Restart your computer.
Press F8 at the Starting Windows 95 message.
Choose Safe Mode from the Windows 95 Startup Menu then press Enter.
» On Windows 98 and ME
Restart your computer.
Press the CTRL key until the startup menu appears.
Choose the Safe Mode option then press Enter.
» On Windows NT (VGA mode)
Click Start>Settings>Control Panel.
Double-click the System icon.
Click the Startup/Shutdown tab.
Set the Show List field to 10 seconds and click OK to save this change.
Shut down and restart your computer.
Select VGA mode from the startup menu.
» On Windows 2000
Restart your computer.
Press the F8 key, when you see the Starting Windows bar at the bottom of the screen.
Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.
» On Windows XP
Restart your computer.
Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen.
Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing at startup.
Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
Windows SA = "%Program Files%\WindowsSA\omniscient.exe"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
In the right panel, locate and modify the entry:
UserInit = "%System%\wsaupdater.exe"
To:
UserInit="%System%\userinit.exe,"
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.)
Again in the right panel, locate and delete other keys containing the value:
"%System%\wsaupdater.exe"
Close Registry Editor.
--------------------------------------------------------------------------------
NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system.
Removing Downloaded Files
Go to the Program Files folder.
Delete the folder:
WindowsSA
Removing Other Malware Related Files
Delete the following file:
%system%wsaupdater.exe
(NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system.)
Additional Windows ME/XP Cleaning Instructions
Running Trend Micro Antivirus
Scan your system with Trend Micro antivirus and delete all files detected as TROJ_BLAZEFIND.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro’s free online virus scanner.
Trend Micro offers best-of-breed antivirus and content-security solutions for your , or .
For additional information about this threat, see Technical Details.
Email this page Rate this page
Copyright 1989-2004 Trend Micro, Inc. All rights reserved. Legal Notice | Privacy Policy | Contact Us
