Troj/Bckdr-QF

Category: Viruses and Spyware Protection available since:13 Jan 2006 00:00:00 (GMT)
Type: Trojan Last Updated:13 Jan 2006 00:00:00 (GMT)
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Bckdr-QF is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.

Troj/Bckdr-QF includes functionality to access the internet and communicate with a remote server via HTTP. Troj/Bckdr-QF is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.

Troj/Bckdr-QF includes functionality to access the internet and communicate with a remote server via HTTP.

When first run Troj/Bckdr-QF copies itself to:

<System>\ctfmon.exe
<System>\userinit.exe

and creates the following files:

<System>\raid.sys - detected by Sophos as Troj/NtRootK-O
<System>\twain.ini - detected by Sophos as Troj/Bckdr-QF
<System>\win_rar.dll - detected by Sophos as Troj/Bckdr-QF

The following registry entry is created to run Troj/Bckdr-QF on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
CTFMON.EXE
<System>\ctfmon.exe

The following registry entry is changed to run userinit.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe

(the default value for this registry entry is "<Windows>\System32\userinit.exe,").

The file raid.sys is registered as a new system driver service named "raid", with a display name of "raid". Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\raid\

The following registry entry is set:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCDisable
ffffff9d

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy