high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Included in our products from | June 2008 (4.30) |
| Protection available since | 7 February 2008 21:18:50 (GMT) |
| Last updated | 30 April 2008 19:03:05 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/ZlobDr-G is a Trojan for the Windows platform.
When Troj/ZlobDr-G is installed the following files are created:
<Windows>\afxlspw.dll
<Windows>\bfrgnos.dll
<Windows>\dat.txt
<Windows>\dwrmntsklr.dll or <Windows>\dwrmntsdnq.dll
<Windows>\edfqvrw.dll
<Windows>\frplprg.exe
<Windows>\rs.txt
<Windows>\search_res.txt
the text files are data files and the rest of the files are detected as Troj/ZlobDr-G
The file afxlspw.dll is registered as COM objects, creating registry entries under:
HKCR\CLSID\{4C5D6732-DD8B-4330-AFD9-AE8A2CDD6DBB}
HKCR\CLSID\{21D1A695-71C2-471B-92B4-2BB5A03DCD65}
HKCR\CLSID\{C694D168-587E-41C4-8153-F635678877EC}
The file bfrgnos.dll is registered as COM objects, creating registry entries under:
HKCR\CLSID\{45C972BD-7E85-4135-80CB-E052C39F8016}
HKCR\CLSID\{01980ACF-D076-419E-A039-7ACFACA0931A}
HKCR\CLSID\{7ABAA323-D690-423E-8B33-BCC04B6BCFEA}
The files dwrmntsklr.dll and dwrmntsdnq.dll are registered as COM objects, creating registry entries under:
HKCR\CLSID\{293B26F4-FC61-4A26-971A-C0CA686A1155}
HKCR\CLSID\{76F30661-76C7-48CD-B18E-64F388AE030B}
HKCR\TypeLib\{92530C17-49BC-4D78-829D-732AF0D24979}
HKCR\TypeLib\{A6BB4262-6132-4F1E-954C-13A3FD45E976}
HKCR\Interface\{165525D4-5BED-4A4E-98DB-D4DDB3DAD7DD}
HKCR\Interface\{6ADA34E7-8ACE-47D2-BA52-42890E8C1980}
Other registry entries are created under:
HKCR\CLSID\{8202F040-3566-46E4-920F-92504E90E170}
HKCR\Interface\{5A5CE183-1441-4592-B8AB-00C0B70D19C6}
HKCR\Interface\{A09F73BB-AAB3-46FD-95E2-8771259805B4}
HKCR\Interface\{F952F5D9-D95A-4C5E-9D0D-60A880642774}
HKCR\TypeLib\{92530C17-49BC-4D78-829D-732AF0D24979}
HKCR\TypeLib\{9EEAF9E2-7C77-4BDE-A78C-4D5C172EAF66}
HKCR\CLSID\{D573EDD4-5DEA-4DF1-9D5A-329D6861EDC8}
HKCR\Interface\{5A945E54-93E0-4CF7-87E8-FAE4CDE5E075}
HKCR\Interface\{B5F63F48-0E28-4B37-9536-6E5588CBCAEE}
HKCR\Interface\{CF269089-EE76-400B-8F5B-E0191AFF6051}
HKCR\TypeLib\{8C1ADEEE-C337-4F42-B3AE-B2745AA21389}
HKCR\TypeLib\{A6BB4262-6132-4F1E-954C-13A3FD45E976}
The following registry entries are created to run code exported by afxlspw.dll and bfrgnos.dll on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
afxlspw
{4C5D6732-DD8B-4330-AFD9-AE8A2CDD6DBB}
or
{C694D168-587E-41C4-8153-F635678877EC}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
bfrgnos
{45C972BD-7E85-4135-80CB-E052C39F8016}
or
{01980ACF-D076-419E-A039-7ACFACA0931A}
Registry entries are created under:
HKCR\MSVPS.MSVPSApp
HKCR\edfqvrw.ToolBar.1
HKCR\edfqvrw.bgof
HKCR\edfqvrw.bdgr
HKLM\SOFTWARE\Microsoft\VideoPlugin
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebVideo
Troj/ZlobDr-G claims to provide an uninstall option which can be accessed via the Add or Remove Programs dialog in the Windows Control Panel. The software is listed as "WebVideo Support".
|
