high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | August 2008 (4.32) |
| Protection available since | 12 June 2008 05:24:49 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/DwnLdr-HEI is a Trojan for the Windows platform.
When run Troj/DwnLdr-HEI creates the files:
<System>\WinNt64.dll - detected as Troj/DwnLdr-HEI
<System>\drivers\Ucu24.sys - detected as Troj/DwnLdr-HEI
The file <System>\drivers\Ucu24.sys is registered as a system service with the name "Ucu24" with a description of "Ucu24" and a startup type of automatic. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\Ucu24\
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UCU24\
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Ucu24.sys\
The file <System>\WinNt64.dll is registered as a Windows DLL and the following registry entries are set to run itself on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinNt64
Asynchronous
0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinNt64
DLLName
WinNt64.dll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinNt64
ID
<number>
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinNt64
Impersonate
0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinNt64
StartShell
WLEventStartShell
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinNt64
Unique
<random characters>
The following registry entries are also set:
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ucu24.sys
(default)
Driver
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Ucu24.sys
(default)
Driver
|
