high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | December 2008 (4.36) |
| Protection available since | 11 October 2008 15:49:07 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Gamania-CJ is a password stealing Trojan for the Windows platform.
When Troj/Gamania-CJ is installed the following files are created:
<Windows>\Debug\<VARIABLE>.DLL
<Windows>\Debug\<VARIABLE>.EXE
<Temp>\<variable>.vmp.exe
where <variable> is a string of randomly generated lower-case characters and digits and <VARIABLE> is a string of randomly generated upper-case characters and digits.
The file <VARIABLE>.DLL is registered as a COM object and shell extension, creating registry entries under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
HKCR\CLSID\{F248A057-9371-48E4-988C-7845394554F2}
The following registry entries are created:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe
debugger
IFEOFILE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscntfy.exe
debugger
IFEOFILE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe
debugger
IFEOFILE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe
debugger
IFEOFILE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe
debugger
IFEOFILE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe
debugger
IFEOFILE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwproxy.exe
debugger
IFEOFILE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe
debugger
IFEOFILE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavmonD.exe
debugger
IFEOFILE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ravmon.exe
debugger
IFEOFILE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe
debugger
IFEOFILE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe
debugger
IFEOFILE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe
debugger
IFEOFILE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe
debugger
IFEOFILE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe
debugger
IFEOFILE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.exe
debugger
IFEOFILE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav32.exe
debugger
IFEOFILE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guard.exe
debugger
IFEOFILE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe
debugger
IFEOFILE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe
debugger
IFEOFILE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe
debugger
IFEOFILE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe
debugger
IFEOFILE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avast.exe
debugger
IFEOFILE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Tray.exe
debugger
IFEOFILE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe
debugger
IFEOFILE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe
debugger
IFEOFILE
|
