high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | June 2007 (4.18) |
| Protection available since | 20 April 2007 21:16:43 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Zlob-ABP is a password-stealing Trojan.
Troj/Zlob-ABP captures confidential information in the form of keystrokes, Windows text and clipboard text and then sends this data to a remote location via email.
In particular Troj/Zlob-ABP attempts to capture login details for online banking websites from HTML pages that contain certain text strings, such as:
"e-gold", "PayPal", "bank", "passport", "money", "mail", "log", "sign", "secret", "forex", "hsbc", "woolwich", "lloyds", "barclay", "egg" or "password".
Troj/Zlob-ABP can arrive as a result of web browsing. Certain web pages may exploit vulnerabilities associated with Microsoft Internet Explorer to silently download and install/run the Trojan without user interaction.
Troj/Zlob-ABP includes functionality to:
- delete URL cache entries
- delete itself after a period of time
- steal confidential information
- download, install and run new software, including updates of its software
When Troj/Zlob-ABP is installed the following files are created:
<Temp>\nsq3.tmp\modern-header.bmp
<Temp>\nsq3.tmp\nsExec.dll
<System>\kdkat.exe
The file kdkat.exe is detected as Troj/Zlob-ABM.
The following registry entry is changed to run kdkat.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
System
kdkat.exe
|
