high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Protection available since | 15 September 2004 07:56:56 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Dloader-CC is a downloader Trojan which tries to download and install new executables and disable/remove existing software (typically undesirable software such as adware).
Troj/Dloader-CC tries to download the files dk32.exe, dk.exe, dktime.exe and sexxx.exe from a remote server via port 80 (HTTP) to the Windows system folder and the files toolbar.exe, test and mstasks1.exe to the Windows folder.
Troj/Dloader-CC attempts to terminate any currently active processes named:
telnet.exe, loadclean.exe, ykyrtws.exe, printer32.exe, printer.exe, exdl.exe, fnnmqi.exe, iinstall.exe, optimize.exe, actalert.exe, istsvc.exe, Winad.exe, WinClt.exe, bargains.exe, ttgkirnl.exe, Installer2.exe, bdl74125.exe, powerscan.exe, alchem.exe, sidefind.exe,
host32.exe, teur.exe, usb.exe, twink64.exe, intron.exe, ir.exe or lpt.exe.
Troj/Dloader-CC attempts to delete the following files:
%WINDOWS%\loadclean.exe
%WINDOWS%\preInMPP.exe
%WINDOWS%\preInsln.exe
%WINDOWS%\preInsTT.exe
%WINDOWS%\adp8027_isearchtech5.exe
%WINDOWS%\alchem.exe
%SYSTEM%\usb.exe
%SYSTEM%\twink64.exe
%SYSTEM%\intronet.exe
%SYSTEM%\intron.exe
%SYSTEM%\ir.exe
%SYSTEM%\lpt.exe
%SYSTEM%\ykyrtws.exe
%SYSTEM%\printer32.exe
%SYSTEM%\printer.exe
%SYSTEM%\mscdexnt.exe
%SYSTEM%\fastopen.exe
%SYSTEM%\exul.exe
%SYSTEM%\exe2bin.exe
%SYSTEM%\exdl.exe
%SYSTEM%\fnnmqi.exe
%SYSTEM%\com.exe
%SYSTEM%\mouse.exe
%SYSTEM%\telnet.exe.tmp
%SYSTEM%\host32.exe
%TEMP%\msbb.exe
%TEMP%\Installer2.exe
%TEMP%\bdl74125.exe
Troj/Dloader-CC also attempts to disable startup for selected applications by deleting sub-keys of the registry entries
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
and
HKCR\Software\Microsoft\Windows\CurrentVersion\Run\
named:
"Winad Client", "Power Scan", "msbb", "IST Service", "Internet Optimizer", "dmesewxqtj", "BullsEye Network", "Alchem", "ControlPanel", "Tern" or
"Ukbybc".
Troj/Dloader-CC also creates a new version of the HOSTS file, mapping selected URLs to the loopback address 127.0.0.3 in an attempt to disable access to these sites.
|
