Antivirus and Security Software from Sophos

Sophos blogs

Troj/AnaFTP-01

Category
Type
What to do
Prevalence low high

Summary

 
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

Please follow the instructions for removing Trojans.

Please read the instructions for removing Trojans.

Editing the registry

You will also need to edit the following registry entries, if they are present.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
recover.bmp.exe = C:\Windows\Rundll.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services\
recover.bmp.exe = C:\Windows\Rundll.exe

HKLM\Software\Microsoft\Active Setup\Installed Components\
recover.bmp.exe = Stub Path C:\Windows\Rundll.exe ASC

and remove these references.

Close the registry editor.

Editing Win.ini and System.ini

At the taskbar, click Start|Run and type Sysedit.

Bring Win.ini to the front. In the [windows] section, search for the lines 'Load=Rundll.exe' and 'Run=Rundll.exe'. Delete these lines.

Bring System.ini to the front. In the [Boot] section, search the line 'Shell=Explorer .exe Rundll.exe'. Delete this line, ensuring that a line 'Shell=Explorer.exe' remains.

Reboot your computer.

More Information

Troj/AnaFTP-01 is an FTP Trojan that copies itself to the file C:\Windows\ Rundll.exe and sets the following registry entries to ensure the Trojan will be run on system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
recover.bmp.exe = C:\Windows\Rundll.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services\
recover.bmp.exe = C:\Windows\Rundll.exe

HKLM\Software\Microsoft\Active Setup\Installed Components\
recover.bmp.exe = Stub Path C:\Windows\Rundll.exe ASC

Troj/AnaFTP-01 will insert the lines 'Load=Rundll.exe' and 'Run=Rundll.exe' in the [Windows] section of C:\Windows\Win.ini as well as the line 'Shell=Explorer .exe Rundll.exe' in the [Boot] section of C:\Windows\System.ini.

The Trojan will open port 41462 for listening, allowing remote access to the user's file system via commands sent to Troj/AnaFTP-01.

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer