Info Trojan

Classification

Category :

Malware

Type :

Trojan

Aliases :

Info Trojan

Summary

This is not a virus but a trojan horse.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

INFO.EXE is a 200KB long 16-bit Windows application. I think originally it is claimed to be a sex screen-saver. When executed it displays a number in a message box. After that it copies notepad.exe to notepad.ini and overwrites notepad.exe with itself. It also copy itself to the Windows system directory as sex.scr and pr0gman.exe. It modifies the win.ini load section to point to this pr0gman.exe.

When notepad.exe is executed it will execute the original notepad.exe from the ini file.

The trojan sometimes displays a box with German or English text in it:

"This is a computer Virus. DO NOT SHUT DOWN YOUR COMPUTER.
'If you do so, every data will be lost.But this virus gives you a chance :
Use the button "Copy INFO.EXE to Drive A:" to copy the Virus to a floppy
disk.Start INFO.EXE on TWO other computers with Windows. A small window
"INFO" will appear on each computer only with a Number in it. Each number
is one password. On every computer will appear a different password. Type
in these two passwords into the two edit fields above and press "Remove
Virus". The Virus will be deletet.But you have only a few hours to do so
(see timer above). Do NOT try to start INFO.EXE on this
computer
Do not
end this program. Do not shut down this computer. Do not type in wrong
passwords. Do not type in the same password in both fields. In case you do
so anyway you know what will happen ... be very careful !But you may
give the INFO.EXE other people to get the two passwords. You may tell them
it is a testing program or somewhat. They only have to tell you the number
wich appears on their computers ... be creative...But do not end this
program !
This is the only program wich can rebuild your data wich it has already
encrypted.... so hurry up !"