high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | March 2008 (4.27) |
| Protection available since | 6 February 2008 03:25:37 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Dloadr-BIG is a Trojan for the Windows platform.
Sophos's anti-virus products include Behavioral Genotype® Protection, which can proactively guard against new threats without requiring an update. Sophos customers have been protected against Troj/Dloadr-BIG (detected as Mal/Behav-056) since version 4.16.
Troj/Dloadr-BIG is registered as a COM object creating registry entries under:
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\
{4DAE9566-953C-4DF1-8E9C-55B7890A3AE8}
The following registry entry is set in order to allow Troj/Dloadr-BIG to bypass the Windows Firewall undetected:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\
AuthorizedApplications\List\<System>\wbem\<4 random digits>\svchost.exe
<System>\wbem\<4 random digits>\svchost.exe:*:Enabled:svchost
When first run Troj/Dloadr-BIG copies itself to <System>\wbem\<4 random digits>\svchost.exe and creates the following files:
<System>\<10 random characters>.dll
<System>\dnabeser.dat
<System>\wbem\<10 random characters>.dll
At the time of this writing the file \wbem\<10 random characters>.dll is detected as Mal/Behav-056. The other dropped files are clean and can be safely deleted.
|
