Troj/Provis-A

Category: Viruses and Spyware Protection available since:29 Mar 2010 10:43:26 (GMT)
Type: Trojan Last Updated:29 Mar 2010 10:43:26 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Provis-A is a Trojan for the Windows platform.

Troj/Provis-A includes functionality to run automatically and create files in the <System> folder.

When Troj/Provis-A is installed the following detected files are created:

<System>\32rc.exe
<System>\3dPAD.exe
<System>\Epen.exe
<System>\sym32.exe
<System>\temp32.exe
<System>\userinity.exe
<Temp>\Usbconeted.exe

The following registry entries are created to run userinity.exe and Usbconeted.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
PC
userinity.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
avscan
<Temp>\Usbconeted.exe

The following registry entries are set or modified, so that sym32.exe and temp32.exe are run when files with extensions of EXE and TXT are opened/launched:

HKCR\exefile\shell\open\command
(Default)
<System>\temp32.exe "%1" %*

HKCR\txtfile\shell\open\command
(Default)
<System>\sym32.exe %1

Registry entries are set which effect system security as follows:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt
UncheckedValue
0x00000001

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
0x00000001

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SuperHidden
0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0x00000000

Registry entries are also created under:

HKCR\.tzt

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy