Trojan.Milicenso
Posted: June 22, 2012
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 9/10 |
|---|---|
| Infected PCs: | 9 |
| First Seen: | June 22, 2012 |
|---|---|
| Last Seen: | March 30, 2020 |
| OS(es) Affected: | Windows |
Trojan.Milicenso is a Trojan downloader that uses advanced techniques to misrepresent itself as a low-level PC threat while Trojan.Milicenso is used for other attacks against the infected PC. Because Trojan.Milicenso's payload is configurable, the risks that can result from a Trojan.Milicenso infection may vary, but Trojan.Milicenso's trademark side effect is a series of seemingly-infinite printouts (due to Trojan.Milicenso's incorporation of a fake printer spool or .spl file in its infection routine). Trojan.Milicenso infections have been observable since 2010, but SpywareRemove.com malware researchers have noted a significant increase in Trojan.Milicenso attacks as of the time of this writing, and residents of India and the United States should be considered particularly at risk for potential infection by Trojan.Milicenso via fake video codec files.
How Trojan.Milicenso Uses Minor Malware to Hide Even Worse Intentions Than That
Trojan.Milicenso's modern versions have been found to be distributed to South America, Europe, the US and India through various methods, but especially by way of fake codec files. These faux codecs appear when you attempt to play a seemingly non-functional movie and are requested to update your player or a related media package, and acquire a Trojan.Milicenso infection instead of the desired codec. As usual, SpywareRemove.com malware researchers encourage potential victims of Trojan.Milicenso attacks (namely, anyone using Windows from versions 95 up to Server 2008) to install their media software only from reputable sources.
Trojan.Milicenso is particularly noted to include Adware.Eorezo as part of its default structure, but this appears to be a slight-of-hand misdirection rather than Trojan.Milicenso's primary payload. Since Trojan.Milicenso explicitly attempts to identify PC security 'sandboxes' or virtual environments and reacts to them by installing Eorezo, SpywareRemove.com malware researchers strongly suspect that Eorezo's presence is included merely as a way to make Trojan.Milicenso seem less dangerous than Trojan.Milicenso actually is. The unpleasant reality is that Trojan.Milicenso's functions can be configured to include the installation of many types of high-level PC threats, which makes Trojan.Milicenso itself a danger that should be removed with as much alacrity as can be assembled.
Trojan.Milicenso: From Movie Player to Printer Nightmare
During its installation, Trojan.Milicenso creates a fake .spl file in the Printer subdirectory of the System32 folder. Although this fake file actually is a malicious executable instead of a spool, associated printers are unable to determine this. As a result, computers that are infected by Trojan.Milicenso will often begin to print endless pages of seemingly random symbols. Thankfully, SpywareRemove.com malware researchers have found that this doesn't cause permanent harm to the printer in question; deleting Trojan.Milicenso's components in an anti-malware scan will return your printer's behavior to normal.
It's suggested that you embark upon this course of action ASAP, since Trojan.Milicenso can also lower your Internet Explorer security settings, change the Windows Registry without your consent and create an environment of vulnerability to other PC threats. Because Trojan.Milicenso uses encryption techniques, as well as other methods to avoid detection, keeping anti-malware software updated is also advised to maximize your Trojan.Milicenso-detection success rates.
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:file.exe
File name: file.exeSize: 334.94 KB (334949 bytes)
MD5: e0bcce62bc17811660fdc8e882f8a119
Detection count: 70
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: June 26, 2012
file.exe
File name: file.exeSize: 332.8 KB (332800 bytes)
MD5: a6bb2fa68a4852f8f163deb64dd3b065
Detection count: 69
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: June 26, 2012
file.exe
File name: file.exeSize: 444.41 KB (444416 bytes)
MD5: c8e45651512cf3275b0d12307b27ae7d
Detection count: 68
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: June 26, 2012
xpsp4ress.dll
File name: xpsp4ress.dllSize: 163.84 KB (163840 bytes)
MD5: ee4e11342f6c94d31e212bdc8b003395
Detection count: 59
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
Last Updated: June 26, 2012
file.exe
File name: file.exeSize: 524.93 KB (524931 bytes)
MD5: baa1ad467a34144b20cea02e8b537979
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: March 30, 2020
%System%\[RANDOM CHARACTERS].dll
File name: %System%\[RANDOM CHARACTERS].dllFile type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
%Temp%\[RANDOM CHARACTERS].bat
File name: %Temp%\[RANDOM CHARACTERS].batFile type: Batch file
Mime Type: unknown/bat
Group: Malware file
%Windir%\Tasks\[RANDOM CHARACTERS].job
File name: %Windir%\Tasks\[RANDOM CHARACTERS].jobMime Type: unknown/job
Group: Malware file
%ProgramFiles%\[EXISTING FOLDER NAME]\[RANDOM FILE NAME].dll
File name: %ProgramFiles%\[EXISTING FOLDER NAME]\[RANDOM FILE NAME].dllMime Type: unknown/dll
Group: Malware file
%ProgramFiles%\[EXISTING FOLDER NAME]\[RANDOM FILE NAME].exe
File name: %ProgramFiles%\[EXISTING FOLDER NAME]\[RANDOM FILE NAME].exeFile type: Executable File
Mime Type: unknown/exe
Group: Malware file
%System%\[RANDOM FILE NAME].exe
File name: %System%\[RANDOM FILE NAME].exeFile type: Executable File
Mime Type: unknown/exe
Group: Malware file
%Temp%\[RANDOM FILE NAME].exe
File name: %Temp%\[RANDOM FILE NAME].exeFile type: Executable File
Mime Type: unknown/exe
Group: Malware file
%Temp%\[RANDOM FILE NAME].dll
File name: %Temp%\[RANDOM FILE NAME].dllFile type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
Registry Modifications
HKEY..\..\{Value}HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\"1900:TCP" = "1900:TCP:LocalSubNet:Enabled:UDP 1900"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\"2" = "[BINARY DATA]"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\"4" = "[BINARY DATA]"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\"5" = "[BINARY DATA]"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\"7" = "[BINARY DATA]"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\"8" = "[BINARY DATA]"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\"9" = "[BINARY DATA]"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\"2" = "[BINARY DATA]"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\"4" = "[BINARY DATA]"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\"5" = "[BINARY DATA]"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\"7" = "[BINARY DATA]"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\"8" = "[BINARY DATA]"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\"9" = "[BINARY DATA]"HKEY_CURRENT_USER\System\CurrentControlSet\"1" = "[RANDOM CHARACTERS]"HKEY_CURRENT_USER\System\CurrentControlSet\"10" = "[RANDOM CHARACTERS]"HKEY_CURRENT_USER\System\CurrentControlSet\"3" = "[RANDOM CHARACTERS]"HKEY_CURRENT_USER\System\CurrentControlSet\"4" = "[RANDOM CHARACTERS]"HKEY_CURRENT_USER\Software\NKARYVBF\"Sg" = "[BINARY DATA]"HKEY_CURRENT_USER\System\CurrentControlSet\"8" = "1"HKEY_CURRENT_USER\System\CurrentControlSet\"9" = "1"HKEY_CURRENT_USER\System\CurrentControlSet\"5" = "1"HKEY_CURRENT_USER\System\CurrentControlSet\"7" = "1"HKEY_USERS\.DEFAULT\Software\NKARYVBF\"Sg" = "[BINARY DATA]"HKEY_USERS\.DEFAULT\System\CurrentControlSet\"5" = "1"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\"1" = "[RANDOM CHARACTERS]"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\"10" = "[RANDOM CHARACTERS]"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\FreeCodec_I\DEBUG\"Trace Level" = ""HKEY_LOCAL_MACHINE\SOFTWARE\NKARYVBF\"Sg" = "[BINARY DATA]"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\"3" = "[RANDOM CHARACTERS]"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\"4" = "[RANDOM CHARACTERS]"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\"8" = "1"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\"9" = "1"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\"5" = "1"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\"7" = "1"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"[RANDOM VALUE]" = "[PATH TO TROJAN EXECUTABLE]"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"[RANDOM VALUE]" = "[PATH TO TROJAN EXECUTABLE]"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"[RANDOM VALUE]" = "[PATH TO TROJAN EXECUTABLE]"HKEY..\..\..\..{Subkeys}HKEY_LOCAL_MACHINE\SOFTWARE\[RANDOM VALUE]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MultimediaHKEY_CURRENT_USER\ Software\Microsoft\Multimedia
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.