CLEAN INSTRUCTION

1. Restart the computer in Safe Mode.

2. Open Windows Explorer, locate the infected file and delete it.

3. Verify if the folder C:\Program Files\Common Files\zzfw exists. If it does, delete it along wih all its contents.

4. Go to Start > Run, type regedit and press OK.

5. Locate and delete the following registry keys/values:

HKEY_LOCAL_MACHINE\Software\zzfw
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, wfzz
or
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, zzfw

6. Run a full scan of the system with BullGuard.

SYMPTOMS

1. Increased network traffic.

2. Suspicious processes might be observed in Task Manager.

DESCRIPTION

1. When it runs, it creates these registry keys:

HKEY_LOCAL_MACHINE\Software\zzfw
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, wfzz

2. After that it initiates a connection to dl.targetsaver.com in order to download an installer for several malicious components that are recognized as:

Trojan.Downloader.Tsupdate.Q

Trojan.Downloader.Tsupdate.N

Adware.Sqwire.A

Application.Target.Saver.A

3. When the download is complete, the wfzz key is deleted from the registry.

4. The installer will extract the files in the following folder: C:\Program Files\Common Files\zzfw

and it will create a process for every downloaded executable file.

So you will find the following processes:

zzfwa.exe

zzfwl.exe

zzfwm.exe

zzfwp.exe

5. An entry will be added in the registry in order to ensure that the zzfw program is executed at startup. The name of the key is:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, zzfw

Author:
The BullGuard Team