high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 13 January 2006 05:54:59 (GMT) |
| Last updated | 1 February 2006 09:26:03 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Bckdr-QF is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.
Troj/Bckdr-QF includes functionality to access the internet and communicate with a remote server via HTTP. Troj/Bckdr-QF is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.
Troj/Bckdr-QF includes functionality to access the internet and communicate with a remote server via HTTP.
When first run Troj/Bckdr-QF copies itself to:
<System>\ctfmon.exe
<System>\userinit.exe
and creates the following files:
<System>\raid.sys - detected by Sophos as Troj/NtRootK-O
<System>\twain.ini - detected by Sophos as Troj/Bckdr-QF
<System>\win_rar.dll - detected by Sophos as Troj/Bckdr-QF
The following registry entry is created to run Troj/Bckdr-QF on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
CTFMON.EXE
<System>\ctfmon.exe
The following registry entry is changed to run userinit.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe
(the default value for this registry entry is "<Windows>\System32\userinit.exe,").
The file raid.sys is registered as a new system driver service named "raid", with a display name of "raid". Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\raid\
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCDisable
ffffff9d
|
