Troj/Klutz-A

Aliases	Rootkit.Win32.Agent.s BackDoor-CST
Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	17 June 2005 12:45:09 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing Trojans.

Change any data that may have become compromised.

More Information

Summary
Action
More Information

Troj/Klutz-A is a backdoor Trojan for the Windows platform.

When run, Troj/Klutz-A creates the folder <Windows>/VirtualMGR, and copies the following files to the folder:

cffn1.gif
cffn2.gif
mac128.sys
mssvc128.exe (Troj/Klutz-A)
winsock.dll (Troj/Klutz-A)

Troj/Klutz-A also drops a file named mac128.sys to the <System> folder under NT based Windows systems.

cffn1.gif and cffn2.gif are data files. mac128.sys is used to monitor registry activity. mac128.sys is used to monitor file system activity. winsock.dll is a keylogging DLL. mssvc128.exe is the backdoor component of the Trojan.

If run on an Windows NT based system, the Trojan creates a service with the display name "VirtualMGR", which is used to automatically start the Trojan whenever the infected computer is started. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\VirtualMGR\

This service will have the description "Manages Virtual Memory Pages.If this service is stopped, system may not function properly.", and be added to the "MsNetSvc" service group.

The file system activity monitor, mac128.sys, will also be registered as a service, creating registry entries under the following:

HKLM\SYSTEM\CurrentControlSet\Services\mac128\

Troj/Klutz-A will also modify the following registry entry, adding the service group it is part of to the head of the list, so that it will be loaded before any other srevices:

HKLM\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder
List

Under non-NT based versions of Windows, Troj/Klutz-A will create the following registry entry so it will start when the infected system is started:

HKLM\Software\Microsoft\Active Setup\Installed Components\(db36810e-b0da-431c-b34d-41df3bf4a7c4)\
StubPath
<Windows>\VIRTUALMGR\MSSVC128.EXE -ActiveSetup

Troj/Klutz-A can be instructed to:

List and terminate running processes
List services available on the computer
Retrieve information about the hardware and software on an infected system
Create, rename, and delete files and folders
Execute, and compress files
Act as an FTP server
Retrieve cached passwords, and passwords from Protected Storage
Send emails as specified by a remote intruder

The following registry may also be set, and Troj/Klutz-A may register itself as a proxy for Internet Explorer:

HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\
ProxyEnable
1

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Troj/Klutz-A

Summary

Action

More Information