Discovered: August 20, 2010
Updated: April 09, 2019 3:30:30 PM
Type: Trojan
Systems Affected: Windows
Trojan.Gen.2 is a generic detection for many individual but varied Trojans for which specific definitions have not been created. A generic detection is used because it protects against many Trojans that share similar characteristics.
Trojan horse programs pose as legitimate programs or files that users may recognize and want to use. They rely on this trick to lure a user into inadvertently running the Trojan. Often a Trojan will mimic a well known legitimate file name or pose as a particular type of file, like a .jpg or .doc file to trick a user.
Distribution of Trojans on to compromised computers occurs in a variety of ways. From email attachments and links to instant messages, drive-by downloads and being dropped by other malicious software. Once installed on the compromised computer, the Trojan begins to perform the predetermined actions that it was designed for.
Antivirus Protection Dates
-
- Initial Rapid Release version August 20, 2010
-
- Latest Rapid Release version September 29, 2019 revision 007
-
- Initial Daily Certified version August 20, 2010
-
- Latest Daily Certified version August 15, 2019 revision 002
-
- Initial Weekly Certified release date August 24, 2011
-
Click
Sie müssen registriert sein, um Links zu sehen.
for a more detailed description of Rapid Release and Daily Certified virus definitions.
Technical Description
Trojan.Gen.2 is a generic detection for many individual but varied Trojans for which specific definitions have not been created. A generic detection is used because it protects against many Trojans that share similar characteristics.
Background information
Trojan horse programs masquerade as applications or files that entice a user to open it. A Trojan horse may copy itself on to the compromised computer, but it doesn't make copies of itself and spread like a virus which is a key difference between a Trojan and a virus. For more information, please see the following resource:
Sie müssen registriert sein, um Links zu sehen.
While most Trojans only execute their own malicious code, some Trojans may actually perform the actions of the file they pretend to be, but then they execute their own malicious code on the compromised computer. Other Trojans make it appear that they are performing the desired actions, but in reality do nothing but trigger their malicious routines.
Trojans arrive on to compromised computers in a variety of ways. These methods distribute the Trojan, often as rapidly as possible, so that the Trojan can maximize the opportunity to perform its main function in a large user population before they are detected by antivirus software.
One of the most common methods is for the Trojan to be spammed as an email attachment or a link in an email. Another similar method has the Trojan arriving as a file or link in an instant messaging client. These methods often rely on social engineering techniques to tempt the user to click on the link or open the file since many of these emails and instant messages appear to come from people the user knows. These techniques will play on a user's curiosity about the big new item such as a celebrity scandal, crisis, catastrophe, or major global event.
Another means of arrival includes a method called drive-by downloads. A drive-by download occurs when a user goes to a website that is either legitimate, but compromised and exploited or malicious by design. The download occurs surreptitiously without the user's knowledge. Alternatively, the user is asked to update or add a video codec when at a malicious website. When the user complies with this request, they inadvertently download a Trojan pretending to be the video codec.
Finally, a Trojan horse program can be dropped or downloaded by other malicious software or by legitimate programs that have been compromised or exploited on the compromised computer.
Who creates Trojans?
Trojan horse programs were once created by malware authors for an assortment of reasons, most especially the infamy of destruction and damage and to make a name for themselves by proving they could write malicious programs. Trojans are now generally created by malware authors with the intent of making a profit.
What happens after the Trojan is installed?
Once it is executed on the compromised computer, a Trojan horse program may create files and registry entries. It may copy itself to various locations. It may start a service or inject itself into processes and then carry out its primary functions.
What can Trojans do?
Trojans can perform a large variety of actions. Some Trojan actions that are most commonly seen include:
- Distributed Denial of Service
- Downloading files
- Dropping additional malware
- Disabling security-related programs
- Opening a back door
- Stealing confidential and financial information
Are there any tell-tale signs?
As deception is one of the hallmarks of Trojan horse programs, many will run with as much stealth as possible. This means that, in the majority of cases, there will not be any obvious tell-tale signs that they are running on a computer. However, there are some Trojans that may display messages or dialog boxes and some that may display picture files or open a text file.
What are the risks?
Damage from Trojans range from a relatively minimal risk of annoyance and nuisance to a high risk of destruction or loss to the user. Hidden files, modified registry entries and annoying but harmless displays of pictures or error messages are examples of some of the low risk actions associated with Trojans.
On the other end of the scale, the potential for identity theft is high and is a risk considered to be personally damaging to a user. Another high and potentially destructive risk is the opening of a back door that can allow a remote attacker access to the compromised computer to perform many actions, such as:
- Create administrator accounts
- Participate in a Distributed Denial of Service (DDoS)
- Provide confidential computer information
- Redirect GRE, TCP, HTTP, HTTPS, SOCKS4, and SOCKS5 traffic
What can I do to minimize the risks?
Back door server and Trojan horse programs often use enticing file names to trick users into executing them. Do not open or execute files from unknown sources.
As a general rule, users should always run up-to-date antivirus software with real-time protection such as
Sie müssen registriert sein, um Links zu sehen.
or
Sie müssen registriert sein, um Links zu sehen.
. In addition, a firewall -- or better still, an Intrusion Prevention System (IPS) -- will help to block download activities initiated by these types of malicious programs. Program controls such as those found in Symantec Endpoint Protection can also help to prevent programs such as these from executing in the first place.
How can I find out more?
Advanced users can submit a sample to
Sie müssen registriert sein, um Links zu sehen.
to obtain a detailed report of the system and file system changes caused by a threat.
Recommendations
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":
Removal
You may have arrived at this page either because you have been alerted by your Symantec product about this risk, or you are concerned that your computer has been affected by this risk.
Before proceeding further we recommend that you
Sie müssen registriert sein, um Links zu sehen.
. If that does not resolve the problem you can try one of the options available below.
FOR NORTON USERS
If you are a Norton product user, we recommend you try the following resources to remove this risk.
Removal Tool
-
Sie müssen registriert sein, um Links zu sehen.
-
Sie müssen registriert sein, um Links zu sehen.
)
