[Stryker412]

I opened my Teamspeak today and got a virus warning. I was on last night and had no problems so I'm not sure when I got this virus. Here's the info from Norton:

PWS.Hooker.Trojan is the detection for known variants in this family of Trojan horses. Trojans in this family attempt to steal passwords and IP addresses from compromised computers.

When the Trojan runs, it does the following:


It copies itself as C:\%System%\Kern32.exe.

NOTE: %System% is a variable. The Trojan locates the \Windows\System folder (by default this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location.


It also drops C:\%System%\Hksdll.dll. This file is a component of, and is detected as W32.Badtrans.gen@mm.

The Trojan adds the value

"kernel32"="C:\%System%\kern32.exe"

to the registry key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunOnce

This causes the Trojan to run the next time you start Windows.

Keystrokes can be logged and sent to the hacker.

[Trahn_Lee_Liao]

Hmmm.. Well, I was not on last night, but I will let you know if I find something when I get home tomorrow night. Thanks for the heads up Stryker.

[Drayu]

Yeah thanks for the heads up....I suppose I should get to reinstalling norton asap! wonder if it spreads through TS, don't see how, but whatever....bastards!


Drayu

[Horsepower]

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

I seriously doubt u got it from using TS. This trojan has been around since 2000. TS would have patched that hole by now, if there ever was one. You probably installed something that was infected, or maybe it was in an email.

Nonetheless, if it is TS related problem, others are now aware. Thanks.

[ICEPICK]

I just found the same virus on my cpu too

[Fook_Yu]

its funny, or actual not so funny but i had the same one in my TS folder:

PWS.Hooker.Trojan is the detection for known variants in this family of Trojan horses. Trojans in this family attempt to steal passwords and IP addresses from compromised computers.

The file C:\Program Files\TEAMSP~1\KeyPress.dll is infected with the PWS.Hooker.Trojan virus.

Its easily removed. And look what norton says:
The following is a description of a specific PWS.Hooker.Trojan variant, which the W32.Badtrans.gen@mm worm can drop.

When the Trojan runs, it does the following:


It copies itself as C:\%System%\Kern32.exe.

NOTE: %System% is a variable. The Trojan locates the \Windows\System folder (by default this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location.


It also drops C:\%System%\Hksdll.dll. This file is a component of, and is detected as W32.Badtrans.gen@mm.

The Trojan adds the value

"kernel32"="C:\%System%\kern32.exe"

to the registry key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunOnce

This causes the Trojan to run the next time you start Windows.

[Horsepower]

i scanned my system before going to work this morning. no problems.

i'll go to Trend Micro's online scanner and get a second opinion.

[Stryker412]

I searched my registry and didn't find the key they say it enters. I also didn't have a directory like they said it makes. Maybe I got it before it even started up. I have scanned my entire HD with the latest definitions from Norton. I then disabled system restore and then rebooted. I scanned again thinking it might reassert itself after a reboot but everything is clear. I'm hoping Norton caught it quick enough that nothing happend. Regardless I'm going to uninstall TS and reinstall it fresh.

[Horsepower]

maybe u and Icepick got it from the same source. name the last 3 things u downloaded.

[Stryker412]

http://www.teamspeak.org/forums/show...ghlight=trojan