high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | April 2007 (4.16) |
| Protection available since | 22 February 2007 02:56:39 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Spy-UL is an information stealing Trojan for the Windows platform.
Sophos's anti-virus products include Behavioral Genotype ® Protection, which can proactively guard against new threats without requiring an update. Sophos customers have been protected against Troj/Spy-UL (detected as Mal/Behav-007) since version 4.12. Troj/Spy-UL is an information stealing Trojan for the Windows platform.
When run Troj/Spy-UL creates the files:
<System>\odbcmr32.dll - detected as Troj/Spy-UL
<Temp>\odbcmr32.dll - detected as Troj/Spy-UL
<System>\obdwk.sys - detected as Troj/NTRootK-BF
When run Troj/Spy-UL creates the following registry entries to run itself on startup:
HKCR\CLSID\(ClassID)\InprocServer32
(default)
odbcmr32.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
odb_set
(ClassID)
Troj/Spy-UL creates the file <System>\obdwk.sys and registers it as a new system driver service named "mcemgr" with a display name of "mcemgr"and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCEMGR\
HKLM\SYSTEM\CurrentControlSet\Services\mcemgr\
Troj/Spy-UL includes functionality to monitor network traffic and send the information to a remote location via HTTP.
Sophos's anti-virus products include Behavioral Genotype ® Protection, which can proactively guard against new threats without requiring an update. Sophos customers have been protected against Troj/Spy-UL (detected as Mal/Behav-007) since version 4.12.
|
