Attention: We have transitioned to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access. While the app may appear unverified, you can confirm its legitimacy by verifying the App ID provided.
Trojan:Win32/Enchanim is a trojan that attempts to stop multiple security-related processes for the purpose of downloading and running other malicious code such as Worm:Win32/Gamarue.F.
To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:
Trojan:Win32/Enchanim is a trojan that attempts to stop multiple security-related processes for the purpose of downloading and running other malicious code such as Worm:Win32/Gamarue.F.
Installation
This trojan is installed by other malware and is present as a randomly named file in the Windows system folder. The malware utilizes code injection in order to hinder detection and removal. When Trojan:Win32/Enchanim executes, it inject its code into running processes, including the following, for example:
csrss.exe
explorer.exe
lsass.exe
svchost.exe
Payload
Terminates processes
Trojan:Win32/Enchanim attempts to stop the following processes, many of which are security-related:
cfp.exe
avp.exe
kaspersky.exe
op_mon.exe
mcafee.exe
mcagent.exe
mcshield.exe
mctray.exe
mcsvhost.exe
mfevtps.exe
mfefire.exe
zonealarm.exe
egui.exe
nod32.exe
ekrn.exe
nod32kui.exe
msseces.exe
spiderui.exe
drwagntd.exe
drwagnui.exe
spiderml.exe
spidernt.exe
avscan.exe
avnotify.exe
avgnt.exe
ashdisp.exe
AVGIDSMonitor.exe
avgnsx.exe
avgcsrvx.exe
avgrsx.exe
avgw.exe
avgamsvr.exe
avg.exe
avgwdsvc
norton.exe
ccsvchst.exe
psctrls.exe
pavfnsvr.exe
pshost.exe
avengine.exe
Downloads other malware
Trojan:Win32/Enchanim may contact a remote host at 188.190.98.166 using port 80 to download other malware, such as Worm:Win32/Gamarue.F.
This trojan was also observed to contact a remote host at 31.186.102.156 using port 80.