Trojan.Verprud … Warning! it steals your browser cookies

Variant: Trojan.Verprud

Operating Systems Affected: Windows 9x, 2000, ME,  XP,  NT, Windows Vista, Windows 7

Trojan.Verprud is Trojan horse that is designed to steal browser cookies on the infected system. Once infected, the Trojan will then modify the registry so that it will be run every time Windows loads up. Then, it will disable the protected mode of Internet Explorer 8 to lower its security settings.

cookie, also known as a web cookiebrowser cookie, and HTTP cookie, is a piece of text stored by a user’s web browser. It can be used for authentication, site preference, session identifier and any other uses that requires storing text data. [source: Wikipedia]

Manual Removal Guide:

• Disable system restore (Windows ME and XP users only)

Boot to safe mode (Press the F8 key before the Windows Logo appears then log in on an account with administrator credentials)

• Delete browsers cookies and cache (Internet Explorer / Firefox / Opera /Chrome)

• Show hidden files and folders (Open My Computer → Tools → Folder Options → View Tab → click show hidden folders, files and drives. Uncheck hide operating systems files. Click OK)

Delete the following Trojan infected files:

%System%\appconf32.exe
%System%\cock
%System%\xmldm

Delete the following Trojan added registry values: (Click Start → Run → regedit → Ok)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\”Userinit” = “%System%\userinit.exe,%System%\appconf32.exe,”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\”del” = “%CurrentFolder%\[ORIGINAL THREAT FILE NAME].exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\”prd” = “[RANDOM URL]”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\”vendor” = “Old”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\”ver” = “[THREE NUMBERS]”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\”w8″ = “USA_[ENCRYPTED STRING]”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\prh\”prh” = “[RANDOM URL]”

{Disclaimer: Registry modification is done at your own risk. Backup the registry before making any changes!}

• Update anti-virus definition files

• Run anti-virus full system scan