high
Summary
Summary
Action- More Information
| Protection available since | 23 June 2004 08:51:50 (GMT) |
|---|---|
| Detected by | All Sophos products |
Sophos beta program
- Endpoint Security and Control 9.0
- Small business solutions 4.0
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Socket Utility
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Socket Utility
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Socket Utility
and delete them if they exist.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell
it should contain a reference to explorer.exe (or possibly NALWIN32.exe if you are using NetWare) only. Remove any reference to any file you deleted. You may need to replace the reference to explorer.exe.
Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entries:
HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\Socket Utility
HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\RunOnce\Socket Utility
HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\RunServices\Socket Utility
and delete them if they exist.
Close the registry editor.
More Information
Troj/Daemoni-E is a backdoor proxy Trojan that allows a remote intruder to
route internet traffic through the infected computer.
The Trojan consists of two parts, a main part that allows the remote intrusion
and a downloading and installing component that is capable of downloading
new versions of itself or other malicious software from a remote website.
The downloading component will copy itself to the current user's startup folder
and to the Windows system folder and modify the following registry entry so
that it runs on system start:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
This downloading component will also drop a stealthing component as st.exe
to the Windows folder which it will then execute.
At the time of writing, the main part of Troj/Daemoni-E drops two parts of
itself to the Windows system folder as socket.exe and svchostz.exe
The Trojan then creates the following registry entries so that svchostz.exe
will run automatically on system start:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Socket Utility
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Socket Utility
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Socket Utility
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Socket Utility
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Socket Utility
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\Socket Utility
Troj/Daemoni-E also changes the following registry entry, appending to it so
that svchostz.exe is run automatically:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
The Trojan then executes svchost.exe
Svchost.exe will execute socket.exe to start the proxy and will connect to a
remote website to notify that the computer is vulnerable.
|
