Troj/Digidor-A is a backdoor Trojan for the Windows platform.
Troj/Digidor-A includes functionality to access the internet and communicate with a remote server via HTTP.
When first run Troj/Digidor-A copies itself to:
<Windows folder>\svohost.exe
<Windows system folder>\HDDGMom.exe
<Windows system folder>\lsasa.exe
Troj/Digidor-A also copies itself to several files in the <Windows folder>\temp folder
The following registry entries are created to run svohost.exe and HDDGMom.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ctfnom.exe
<Windows folder>\SVOHOST.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe HDDGMom.exe
The following registry entry is set or modified, so that lsasa.exe is run when files with extensions of TXT are opened/launched:
HKCR\txtfile\shell\open\command
(default)
<Windows system folder>\lsasa.exe "%1"