Troj/Agent-GSG is a Trojan for the Windows platform.
Troj/Agent-GSG includes functionality to access the internet and communicate with a remote server via HTTP.
When Troj/Agent-GSG is installed the following files are created:
<User>\Local Settings\Application Data\spool.exe
<Temporary Internet Files>\Content.IE5\od6fwfox\getupdate[1].htm
<Temporary Internet Files>\Content.IE5\od6fwfox\webbibleschool[1].htm
<System>\drivers\ctfmon.exe
The following registry entries are created to run Troj/Agent-GSG on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
autoload
<User>\Local Settings\Application Data\spool.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ntuser
<System>\drivers\ctfmon.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
autoload
<User>\Local Settings\Application Data\spool.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ntuser
<System>\drivers\ctfmon.exe
The file <System>\drivers\ctfmon.exe is registered as a service named "Schedule" (replacing any existing services named "Schedule"). Registry entries are created or modified under:
HKLM\SYSTEM\CurrentControlSet\Services\Schedule
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UIHost
logonui.exe