high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | December 2004 (3.88) |
| Protection available since | 4 November 2004 09:14:43 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/WebMoney-G is a Trojan for the Windows platform. The Trojan monitors the WebMoney application and may attempt to extract passwords and information from the process memory.
When run Troj/WebMoney-G copies itself to the following folders with the following filenames:
- %WINDOWS%\regdll32.exe
- %SYSTEM%\regsvr.exe
- %SYSTEM%\vxddrv32.exe
Troj/WebMoney-G performs the following actions so as to run automatically during user logon or computer restart:
- Creates the following registry entries:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\
Run = %WINDOWS%\regdll32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
regsvr = %SYSTEM%\regsvr.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Shell = explorer.exe %SYSTEM%\vxddrv32.exe
- Writes to the %WINDOWS%\system.ini file with the following entry:
[boot]
shell = explorer.exe %SYSTEM%\vxddrv32.exe
- Writes to the %WINDOWS%\win.ini file with the following entry:
[windows]
run = %WINDOWS%\regdll32.exe
- Writes to the %WINDOWS%\welcome.ini file with the following entry:
[windows]
run = %WINDOWS%\regdll32.exe
- Copies itself to the following Windows Startup folders with the following filenames:
%WINDOWS%\Start Menu\Programs\Startup\rnaapp.exe
%ROOT%\Documents and Settings\%USERNAME%\Start Menu\Programs\
Startup\rnaapp.exe
Troj/WebMoney-G may append the following entries to the file %SYSTEM%\drivers\etc\hosts and the file %WINDOWS%\hosts.sam :
212.118.48.8 wmsc.webmoney.ru
arbitrage.webmoney.ru 212.118.48.8
|
