high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 10 May 2006 05:15:47 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Erazer-A is a Trojan for the Windows platform.
The Trojan creates a randomly named file in the temporary folder and executes the file. The created file is also detected as Troj/Erazer-A.
Troj/Erazer-A terminates the following processes if running:
adaware
alevir
anti
antitrojan
arr
Atupdater
au
Aupdate
Autodown
Autotrace
Autoupdate
Avltmain
Avpupd
Avwupd32
Avxquar
backweb
bargains
belt
bf1942
blss
bootconf
bpc
brasil
bundle
bvt
cfd
Cfiaudit
cmd32
cmesys
cpd
datemanager
dcomx
divx
dllcache
dllreg
dpps2
Drwebupw
dssagent
emsw
explore
fsg_4104
gator
gmt
hbinst
hbsrv
hotfix
hotpatch
htpatch
hxdl
hxiul
Icssuppnt
Icsupp95
idle
iedll
iedriver
iexplorer
inetlnfo
infus
infwin
init
intdel
isass
istsvc
jdbgmrg
kazaa
keenvalue
kernel32
launcher
lnetinfo
loader
Luall
mapisvc32
Mcupdate
md
mfin32
mmod
mostat
msapp
msbb
msblast
msblast
mscache
msccn32
mscman
msconfig
msdm
msdos
msiexec16
mslaugh
msmgt
msmsgri32
msrexe
mssys
msvxd
netd32
nssys32
nstask32
nsupdate
Nupgrade
onsrvr
open
optimize
Outpost
patch
pgmonitr
powerscan
prizesurfer
prmt
prmvr
ray
rb32
rcsync
regedit
run
run32dll
rundll
rundll16
ruxdll32
sahagent
save
savenow
sc
scam32
scrsvr
scvhost
service
servlce
servlces
setup
showbehind
sms
smss32
soap
spoler
spoolcv
spoolsv32
srng
ssgrate
start
start
stcloader
support
svc
svchostc
svchosts
svshost
system
system32
sysupd
taskmgr
teekids
trickler
trojan
tsadbot
tvmd
tvtmd
Update
webdav
win-bugsfix
win32
win32us
winactive
window
windows
wininetd
wininit
wininitx
winlogin
winmain
winnet
winppr32
winservn
winssk32
winstart
winstart001
wintsk32
winupdate
wnad
wupdater
wupdt
zone
zonealarm
Copies of the file created in the <Temp> folder are created in:
<System>\drvsys.exe
<System>\drvsystem.exe
<System>\eraser32.exe
<System>\char.exe
<System>\zonex.exe
<System>\gothicmaster.exe
<System>\eraser.exe
<System>\layer32.exe
<System>\numlock.exe
The Trojan also creates copies of itself in the shared folders for Peer-to-peer (P2P) applications using the following filenames:
bf1942.exe
game.exe
goporn.exe
hdr3.exe
naturally13.exe
nero7.exe
officexpcrack.exe
optix133.exe
setup.exe
The Trojan also deletes files from the shared folders for P2P applications with the following file extensions:
AVI BMP COM DOC DOT GIF HTM HTML JPG JS MP3 MP3 MPEG MPG RAR TXT VBS WAV WMA WMV ZIP
Troj/Erazer-A deletes files from the following locations:
<System>\*.doc
<System>\*.hlp
<System>\*.log
<User Profile>\*.avi
<User Profile>\*.bmp
<User Profile>\*.doc
<User Profile>\*.exe
<User Profile>\*.jpg
<User Profile>\*.mp3
<User Profile>\*.mpg
<User Profile>\*.ppt
<User Profile>\*.txt
The following folders are created for storing backup copies of original system files:
<System>\eraser
<System>\drvformat
<System>\temp32
The Trojan collects information from the infected computer and stores information in <System>\sysinfo.txt and in <System>\syslog.dat.
Troj/Erazer-A creates the following registry entries in order to run each time a user logs on:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
COMSurrogate
"<System>\char.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ipconfig
"<System>\drvsys.exe"
|
