high
Summary
Summary
Action- More Information
| Detected by | All Sophos products |
|---|---|
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
Please follow the instructions for removing Trojans.
Windows NT/2000/XP
In Windows NT/2000/XP you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\
CurrentVersion\Run
and remove any references to any files you deleted.
Close the registry editor.
You should also check for any changes that the intruder may have made.
More Information
Troj/Download-A is composed of two files DLDER.EXE and EXPLORER.EXE.
DLDER.EXE creates a hidden sub-directory called EXPLORER within the Windows directory. It then downloads a file from the internet and saves it as EXPLORER.EXE within the newly created sub-directory. It adds a key to the registry at
HKLM\Software\Microsoft\Windows\
CurrentVersion\Run
to run the downloaded file on system restart. It also creates the registry key
HKLM\Software\games\clicktilluwin
EXPLORER.EXE creates a security hole in the user's system. It sends confidential information such as host IP address, browser name, and URLs visited to an external URL. It copies DLDER to the Windows directory, and adds a key to the registry at
HKLM\Software\Microsoft\Windows\
CurrentVersion\Run
to run DLDER.EXE on system restart. The Trojan is therefore able to constantly update EXPLORER.EXE from a remote location.
|
