Troj/Dropr-CZ

Category: Viruses and Spyware Protection available since:04 May 2010 06:55:40 (GMT)
Type: Trojan Last Updated:04 May 2010 06:55:40 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Dropr-CZ is a Trojan for the Windows platform.

Troj/Dropr-CZ includes functionality to:

- copy itself to the <WINDOWS> folder
- start services
- run automatically
- copy itself to the <System> folder
- create files in the <System> folder
- steal confidential information
- access the internet and communicate with a remote server via HTTP

When first run Troj/Dropr-CZ copies itself to:

<System>\ashDip.exe
<Windows>\xtreme.exe

and creates the file <System>\drivers\atualizada.sys. This file is detected as Troj/Bancos-BHI.

The following registry entries are created to run ashDip.exe and xtreme.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ashDip.exe
<System>\ashDip.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
(Default)
<Windows>\xtreme.exe

The file atualizada.sys is registered as a new service named "atualizada", with a display name of "biba". Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\atualizada

The following registry entry is set:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
EnableLUA
0x00000000

Registry entries are created under:

HKCU\Software\Microsoft\rSlHjSwu
HKCU\ashDip
HKCU\avs

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy