Related Resources • Virus Encyclopedia • Glossary of terms

Elsewhere on the Web • Kaspersky Alert • Sophos Description

The Trojan, Backdoor.Death.25 (a.k.a. Lamers Death 2.5), is trying to sneak onto users' computers disguised as a Kaspersky anti-virus upgrade. The misdeed is carried out by an email carrying the Apher Trojan, responsible for downloading and installing Lamers Death. The sent email spoofs the From address so that it appears to be 'From: info@microsoft.com'. The email reads as follows:

Subject: Protect Your NetWare with Kaspersky Anti-Virus

Kaspersky Labs, an international data-security software developer, announces the official release of Kaspersky Anti-Virus 4.0. "We are pleased to present the latest version of our anti-virus product. The unique technology, updated design, and perfected administering system integrated into Kaspersky Anti-Virus 4.0 is the result of many years of work dedicated to improving the ease of working with the program and increasing computer defense reliability," said Natalya Kaspersky, Kaspersky Labs CEO. The new Kaspersky Anti-Virus version (Personal Pro, Personal, Lite) fully supports the Microsoft Windows XP operating system. Amongst this versions latest innovations are: a complete user interface upgrade corresponding to Tree Chart technology; perfected system installation that allows for the saving the configuration of previously installed versions, and a quarantine feature for isolating infected and suspicious objects; expanded treatment of infected archived files; an added function for the treatment of Microsoft Outlook Express and objects upon system start up and also a memory scanning of active applications; and simplified operating features for disk recovery.

Best regards,
If you have any questions
please call
+1(866) 7280-290

The email carries an attached file, AAprices.exe, containing the Apher download Trojan. If opened, Apher downloads the Backdoor.Death.25 (Lamers Death) Trojan and installs it on the system. Lamers Death listens on Port 30003 and provides remote access capabilities which, according to Kaspersky, "permits the evildoer to clandestinely manage an infected computer".

Removing the Infection
Locate and delete the file VBWINSOK.EXE from the Windows\System directory.
Edit the registory and remove the value 'VBWINSOK.EXE' from both of the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Reboot the system when done.