high
Summary
Summary
Action- More Information
| Detected by | All Sophos products |
|---|---|
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
Please read the instructions for removing Trojans.
You will also need to delete the following registry keys, if they are present. They are less likely to be present in Windows 95/98/Me.
At the Windows taskbar, select Start|Run. Type 'Regedit' and press return. The registry editor will open.
Before you edit the registry, you should make a backup. In the Registry menu, click on Export Registry File, in Export Range select All, then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE key:
HKLM\Software\Microsoft\Windows\CurrentVersion
\RunServices\System32 = Windows System32\system.exe
and delete the reference to system.exe.
Each user has a registry area named HKEY_USERS\'code number indicating user'\. For each user locate the key:
HKU\code number\Software\Microsoft\Windows
\CurrentVersion\Run\SERVER.EXE = Windows\SERVER.EXE
Delete the reference to SERVER.EXE.
Close the Registry Editor and restart your computer.
More Information
Troj/BushTro122 is a backdoor Trojan which will run in the background as a server process, allowing a remote user (using a client program) to gain access and control over the computer.
It copies itself to the Windows directory as SERVER.EXE and to the Windows System32 directory as system.exe. It also creates the registry keys
HKLM\Software\Microsoft\Windows\CurrentVersion
\RunServices\System32 = Windows System32\system.exe
and
HKCU\Software\Microsoft\Windows\CurrentVersion
\Run\SERVER.EXE = Windows\SERVER.EXE
This causes both copies of the server process to be run automatically each time the computer is restarted. Troj/BushTro122 will also attempt to notify the remote hacker when the affected computer is accessible.
|
