high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | October 2007 (4.22) |
| Protection available since | 15 August 2007 18:12:11 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Spywad-AR is a Trojan for the Windows platform.
Troj/Spywad-AR includes functionality to access the internet and communicate with a remote server via HTTP.
Troj/Spywad-AR may attempt to close certain notification windows related to anti-virus and security programs.
Troj/Spywad-AR periodically displays the following fake warning message:
Title: 'Windows Security Alert!'
Message: 'Warning! Potential Spyware Operation!
Your computer is making unauthorized copies of your system and Internet files. Run full scan now to pervent any unathorised access to your files! Click here to download spyware remover ...'
When installed the Trojan copies itself to the following files:
<Start Menu>\Programs\Startup\autorun.exe
<Start Menu>\Programs\Startup\system.exe
<System>\printer.exe
<System>\WinAvXX.exe
The following files are created:
<System>\hrumxxx.txt
<System>\vtrxxx.dll
where xxx is a random number.
The file hrumxxx.txt is detected as Troj/Agent-GAM and the file vtrxxx.dll is detected as Troj/Agent-GAN.
The following registry entry are created:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WinAVX
<System>\WinAvXX.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinAVX
<System>\WinAvXX.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs
<System>\hrumxxx.txt
HKLM\SOFTWARE\Microsoft\ Windows NT\CurrentVersion\Winlogon
Shell
"Explorer.exe <System>\printer.exe"
|
