[INFO]
AnalystName=Andrei Brasoveanu
AnalystEMailID=brasoveanua@comodo.com
Team=Romania
Date=29-JUN-2010
Type=TrojWare
Platform=Win32
SubType=TrojanClicker
Family=Vesloruki
Variant=

[OVERVIEW]

Win32.Vesloruki belongs to the trojan-clicker family, a special type of trojans that remain resident in memory and attempt to connect to specific websites on a regular basis.

[TECHNICAL_DESCRIPTION]

In order to confuse the user, the trojan creates a copy of itself with a pseudo-legitimate name "av.exe, systems.exe, 
systems32.exe, svchosts.exe" and with the 'hidden-file' attribute enabled, either in the System/System32 folders or 
in the %appdata%/%temp% sub-directories under the user profile. Because its primary function is to access different websites,
the clicker can also disable the Windows Firewall, Exceptions and Notifications. The following values in the registry 
may indicate the trojan-clicker's presence:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications: 0x00000001

[SYMPTOMS]

Some websites have visit counters, and trojan-clickers can 'help' raising these counters.

[DISINFECTION]

Install COMODO Internet Security and scan system to remove these threats.