high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | August 2007 (4.20) |
| Protection available since | 14 June 2007 04:35:55 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Conhook-AG is a Trojan for the Windows platform.
When Troj/Conhook-AG is installed the following files are created:
<Temp>\<Random FileName 1>.sys
<System>\<Random FileName 2>.dll
<System>\<Random FileName 3>.exe
<System>\drivers\<Random FileName 3>.sys
The following registry entries are created to run code exported by <Random FileName 2>.dll on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\<Random Letters>
DLLName
<Random FileName 2>.dll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\<Random Letters>
Impersonate
0
The file <Random FileName 2>.dll is registered as a new service named "<Random Letters>". Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\<Random Letters>
The file <Random FileName 3>.sys is registered as a new system driver service named "<Random Letters>", with a display name of "Microsoft RPC API Helper". Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\<Random Letters>
The file <Random FileName 2>.dll is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under:
HKCR\CLSID\(447E6663-81F1-44AC-90E2-4B106EED6D1D)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
(447E6663-81F1-44AC-90E2-4B106EED6D1D)
Registry entries are set as follows:
HKCR\Ctkfcjfg\CLSID
(default)
(447E6663-81F1-44AC-90E2-4B106EED6D1D)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OptimalLayout
File
<System>\drivers\<Random FileName 3>.sys
|
