high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Protection available since | 4 November 2009 23:51:18 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
<System>\drivers\etc\hosts needs to be restored from backup.
The registry entry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs is required for some security software to function. This value should be restored manually.
More Information
Troj/FakeVir-PU communicates via HTTP with the following locations:
91 . 212 . 127 . 226
When Troj/FakeVir-PU is installed it copies itself to
<Program Files>\<six random letters>\<four random letters>sysguard.exe
The following registry entries are created to run swsysysguard.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<eight random letters>
<Program Files>\<six random letters>\<four random letters>sysguard.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
<eight random letters>
<Program Files>\<six random letters>\<four random letters>sysguard.exe
Registry entries are set as follows:
HKCU\Software\Microsoft\Internet Explorer\Download
CheckExeSignatures
no
HKCU\Software\Microsoft\Internet Explorer\Download
RunInvalidSignatures
0x00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
LowRiskFileTypes
.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
SaveZoneInformation
0x00000001
Registry entries are created under:
HKLM\SOFTWARE\AvScan
The following registry entry is deleted:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs
Troj/FakeVir-PU alters the local hosts file to redirect internet traffic.
Troj/FakeVir-PU drops <System>\iehelper.dll which is detected as Troj/FakeSp-Gen.
|
