high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 8 March 2006 20:59:06 (GMT) |
| Detected by | All Sophos products |
Sophos beta program
- Endpoint Security and Control 9.0
- Small business solutions 4.0
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entry, if it is present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell
it should contain a reference to explorer.exe (or possibly NALWIN32.exe if you are using NetWare) only. Remove any reference to any file you deleted. You may need to replace the reference to explorer.exe.
Close the registry editor.
More Information
Troj/BrontDl-B is a downloading Trojan for the Windows platform.
Troj/BrontDl-B attempts to download and execute a file from a preconfigured location on the internet. Troj/BrontDl-B is a downloading Trojan for the Windows platform.
Troj/BrontDl-B attempts to download a file from a preconfigured location to <System>\dll\lsass.exec2u.bin and execute it.
At the time of writing, this file was unavailable for download.
When first run Troj/BrontDl-B copies itself to <System>\dll\lsass.exe.
The following registry entry is changed to run lsass.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<System>\dll\lsass.exe"
(the default value for this registry entry is "Explorer.exe" which causes the Microsoft file <Windows>\Explorer.exe to be run on startup).
|
