high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Protection available since | 13 September 2004 13:26:45 (GMT) |
| Last updated | 14 September 2004 09:22:36 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Dalixy-B is a backdoor Trojan for the Windows platform.
The Trojan allows a malicious user remote access to an infected computer.
When executed the Trojan copies itself to the Windows folder as winlogon.exe, drops the file ws3_32.dll and attempts to download and run the files dfp.exe, pspv.exe and winls.exe.
These three downloaded files are password recovery tools which, when run by the Trojan, leave their output in the files windows.ini, windows2.ini and windows4.ini in the Windows folder.
These files and applications are not malicious by themselves but are a security risk and should be deleted.
In order to run automatically when Windows starts up Troj/Dalixy-B creates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
winlogon = C:\WINDOWS\winlogon.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
winlogon = C:\WINDOWS\winlogon.exe
The Trojan also creates the following registry entry:
HKLM\Software\Classes\CLSID\(57853A3E-0C30-4654-A335-7189A22B973F)\
InProcServer32\
ws3_32.dll
and changes:
HKLM\Software\Microsoft\OLE
EnableDCOM = N
The Trojan provides proxy functionality on a random port and registers the infection by sending an email and connecting to the IRC network
Troj/Dalixy-B has functionality to collect passwords and other sensitive information.
|
