high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 22 April 2005 08:17:41 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
Change any data that may have become compromised.
More Information
Troj/CashGrab-A is a password-stealing Trojan aimed at customers of banking websites.
Troj/CashGrab-A will spy on a user's browsing habits for banking URLS. The Trojan will then attempt to steal login information.
Troj/CashGrab-A will connect to a remote site to download further files and data. Troj/CashGrab-A is a password-stealing Trojan aimed at customers of banking websites.
Troj/CashGrab-A will spy on a user's browsing habits for banking URLS. The Trojan will then attempt to steal login information.
Troj/CashGrab-A will connect to a remote site to download further files and data.
When first run, Troj/CashGrab-A will drop the following files:
UPDATE.SYS - Text file containing a URL
SETUP.CMD - DOS batch file, used to delete Trojan installation files
%SYSTEM%\WINDOWS.IDN - Text file containing data
%SYSTEM%\WINST.MSI - Text file containing a URL
%SYSTEM%\MSUPDATE.DLL - Troj/CashGrab-A
%SYSTEM%\WINSETUP.EXE - Troj/CashGrab-A
In order to run automatically each time Internet Explorer starts, Troj/CashGrab-A will install MSUPDATE.DLL as a Browser Helper Object. The following registry branches will be created:
HKCR\CLSID\(3A4E6FF3-BF59-446E-9DC8-731BCE2F349A)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\(3A4E6FF3-BF59-446E-9DC8-731BCE2F349A)
HKCR\msupdate.IEHelperOP
In particular, the following registry entry will be created:
HKCR\CLSID\(3A4E6FF3-BF59-446E-9DC8-731BCE2F349A)\InprocServer32
(default)
%SYSTEM%\msupdate.dll
|
