Troj/Lohav-U

Aliases	Email-Worm.Win32.Bagle.pac Trojan-Proxy.Win32.Mitglieder.dl W32/Bagle.gen
Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	28 September 2005 21:42:59 (GMT)
Last updated	17 October 2005 09:08:53 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing Trojans.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry for each user who ran the virus. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export Range' panel, click 'All', then save your registry as Backup.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKU\[code number]\Software\Microsoft\Windows\CurrentVersion\Run\
ssgrate.exe
<System>\wintems.exe

and delete it if it exists.

Close the registry editor.

More Information

Summary
Action
More Information

Troj/Lohav-U is a backdoor Trojan for the Windows platform.

Troj/Lohav-U includes functionality to access the internet and communicate with a remote server via HTTP.

When first run Troj/Lohav-U copies itself to <System>\wintems.exe and creates the following files:

<System>\foro.exe
<System>\noat.exe

Troj/Lohav-U sets the following registry entry to run wintems.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
ssgrate.exe
<System>\wintems.exe

Several registry entries are also created under:

HKCU\Software\DateTime9

Troj/Lohav-U runs continuously in the background providing a proxy server on port 17235. Data can be routed to other computers via the proxy in order to bypass access restrictions and to hide the IP address of the source computer. The proxy may be used to forward SPAM email.

Troj/Lohav-U attempts to contact a large number of remote php websites to alert a remote user that the computer is infected.

Troj/Lohav-U attempts to download the file <System>\ban_list.txt from a large number of remote websites. This file contains IP addresses gathered by the Trojan from the predefined locations.

Troj/Lohav-U attempts to disable services and processes related to anti-virus and security programs.

Troj/Lohav-U attempts to hide its presence by stealthing certain API system functions.

Troj/Lohav-U may attempt download and execute further files.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Troj/Lohav-U

Summary

Action

More Information