high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Included in our products from | February 2008 (4.26) |
| Protection available since | 16 December 2007 15:48:48 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Pushu-C is a downloader/installer for members of the Troj/Pushu-Gen family of Trojans.
Troj/Pushu-C typically arrives as an email attachment as part of a spamming campaign.
When run Troj/Pushu-C injects its downloader code into a new hidden instance of Microsoft Internet Explorer and then tries to download and run an installer executable for Troj/Pushu-Gen.
Troj/Pushu-C downloads the Troj/Pushu-Gen Trojan to the <System>\drivers\ folder with filenames such as Ery42.sys and Dsn53.sys and then this file is registered as a new system driver service.
Troj/Pushu-C replaces the following file with a rootkit component which Sophos Anti-Virus detects as Troj/Agent-GIS and/or Troj/Pushu-Gen:
<System>\drivers\ip6fw.sys
Troj/Pushu-C also installs the following stealthing component:
<System>\drivers\runtime.sys
(detected as Troj/Pushu-Gen) and registers this file as a new system driver service named "Runtime", creating registry entries under:
HKLM\SYSTEM\CurrentControlSet\Services\Runtime
The following harmless log file is created:
<System>\5_exception.nls
Members of the Troj/Pushu-Gen family of Trojans harvest email addresses from the victims computer and send this information to a remote location (probably for use in future spamming campaigns). For further information please see the description for Troj/Pushu-Gen.
|
