Sophos

Troj/Hasik-A

Category
Type
What to do
Prevalence low high

Summary

 
Affected operating systems Windows
Characteristics
  • Installs itself in the registry
Protection available since 15 October 2006 14:16:45 (GMT)
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

More Information

Troj/Hasik-A is a Trojan for the Windows platform.

When first run Troj/Hasik-A copies itself to:

\Jangan dibuka\jangandiklik.exe
<Program Files>\Yahoo!\Messenger\ypager.exe
<Windows>\Installer\smss.exe
<Windows>\inf\lsass.exe
<System>\capslock.exe
<System>\numlock.exe
<System>\scrolllock.exe

and creates the following files:

\apel.txt
<Windows>\Registration\(02D4B3F1-FD88-11D1-960D-00805FC79235).(B992B056-85FB-4C1B-810B-E2BE4A206A6F).crmlog
<Windows>\apel.htm
<System>\Logfiles\w3svc1\ex061015.log

The following registry entries are created to run capslock.exe, numlock.exe and apel.txt on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
RPCall_REPCLIENT
<System>\numlock.exe /register

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Apel
C:\apel.txt /register

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SRVState_REPCLIENT
<System>\capslock.exe /register

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<System>\numlock.exe

The following registry entries are changed to run Troj/Hasik-A on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe <Windows>\Installer\smss.exe

(the default value for this registry entry is "Explorer.exe" which causes the Microsoft file <Windows>\Explorer.exe to be run on startup).

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
System
<System>\capslock.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<System>\scrolllock.exe,

(the default value for this registry entry is "<Windows>\System32\userinit.exe,").

The following lines are added to the [windows] section of Win.ini to run jangandiklik.exe on startup:

run = C:\Jangan dibuka\jangandiklik.exe
load = C:\Jangan dibuka\jangandiklik.exe

Troj/Hasik-A changes settings for Microsoft Internet Explorer, including the Start Page and Search Page, by modifying values under:

HKCU\Software\Microsoft\Internet Explorer\Main\
HKCU\Software\Microsoft\Internet Explorer\Main\Search Page
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page

The following registry entries are set, disabling the registry editor (regedit), the Windows task manager (taskmgr) and the command prompt:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableCMD
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1

HKCU\Software\Policies\Microsoft\System
DisableCMD
1

Registry entries are set as follows:

HKCU\Software\Microsoft\Command Processor
AutoRun
echo off|<Windows>\inf\lsass.exe|cls

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
NoChangingWallPaper
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
NoHTMLWallPaper
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDispCpl
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFind
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDesktop
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDrives
10

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoTrayContextMenu
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoViewContextMenu
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoControlPanel
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Network
NoEntireNetwork
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Network
NoWorkgroupContents
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
NoDispBackgroundPage
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
NoDispAppearancePage
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
NoDispScrSavPage
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
NoDispSettingsPage
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
NoDispCpl
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
NoFolderOptions
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon
NoEntireNetwork
0

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon
NoWorkgroupContents
0

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Run
System handler
<System>\capslock.exe /register

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCScan
0

HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
DisableMSI
1

HKCU\Control Panel\Desktop
Wallpaper
<Windows>\apel.htm

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
RegisteredOrganization
Apel Organization

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
RegisteredOwner
Apel Owner

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
ReportBootOk
0

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCDisable
ffffff9d

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\Windows NT\Winlogon\
HKCR\exefile\

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer