high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 17 January 2005 22:12:32 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Dloader-GL is a Trojan which downloads and runs files without the user's consent.
The Trojan downloads and runs files from a remote website, storing them as any of the following files:
<system>\vxh8jkdq5.exe
<system>\vxh8jkdq2.exe
<system>\vxh8jkdq1.exe
<temp>\1.qtdfmp
<temp>\2.qtdfmp
<temp>\3.qtdfmp
<temp>\4.qtdfmp
<temp>\5.qtdfmp
Troj/Dloader-GL adds the following text to the HOSTS file in order to block access to the given websites:
127.0.0.3 www.iframedollars.biz
127.0.0.3 iframedollars.biz
127.0.0.3 www.virgin-tgp.net
127.0.0.3 aaasexypics.com
127.0.0.3 www.aaasexypics.com
127.0.0.3 www.pizdato.biz
127.0.0.3 www.newiframe.biz
127.0.0.3 www.allforadult.com
127.0.0.3 allforadult.com
127.0.0.3 awmdabest.com
127.0.0.3 www.sexfiles.nu
127.0.0.3 www.awmdabest.com
127.0.0.3 www.autoescrowpay.com
127.0.0.3 counter.sexmaniack.com
127.0.0.3 autoescrowpay.com
The Trojan terminates processes with any of the following names:
actalert.exe
alchem.exe
bargains.exe
exdl.exe
fnnmqi.exe
host32.exe
iinstall.exe
Installer2.exe
intron.exe
intronet.exe
ir.exe
istsvc.exe
lpt.exe
optimize.exe
powerscan.exe
printer.exe
printer32.exe
sidefind.exe
systime.exe
telnet.exe
teur.exe
ttgkirnl.exe
usb.exe
Winad.exe
WinClt.exe
ykyrtws.exe
The Trojan attempts to delete the following files:
<system>\com.exe
<system>\dktibs.exe
<system>\exdl.exe
<system>\exe2bin.exe
<system>\exul.exe
<system>\fastopen.exe
<system>\fnnmqi.exe
<system>\host32.exe
<system>\intron.exe
<system>\intronet.exe
<system>\ir.exe
<system>\lpt.exe
<system>\mouse.exe
<system>\mscdexnt.exe
<system>\printer32.exe
<system>\systime.exe
<system>\telnet.exe.tmp
<system>\twink64.exe
<system>\usb.exe
<system>\ykyrtws.exe
<temp>\bdl74125.exe
<temp>\Installer2.exe
<temp>\msbb.exe
<windows>\adp8027_ISEARCHTECH5.exe
<windows>\alchem.exe
<windows>\preInMPP.exe
<windows>\preInsln.exe
<windows>\preInsTT.exe
C:\Program Files\WebSiteViewer\125209.exe
The Trojan copies itself to KERNELS32.EXE in the system folder and sets the following registry entries in order to run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
System
<system>\kernels32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe <system>\kernels32.exe
The Trojan makes the following additional registry changes:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\209.8.20.130\
*
4
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\213.159.117.133\
*
4
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\209.8.20.130\
*
4
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\213.159.117.133\
*
4
The Trojan attempts to delete registry entries in the location HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run with any of the following values:
180ax
alchem
BullsEye Network
CashBack
ControlPanel
Internet Optimizer
IST Service
Power Scan
SysTime
twink64.exe
Ukbybc
Winad Client
The Trojan attempts to delete registry entries in the location HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run with any of the following values:
SysTime
twink64.exe
Usoa
The Trojan may delete the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
InternetExplorer6.0
|
