high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | July 2008 (4.31) |
| Protection available since | 9 May 2008 23:49:11 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Maha-T is a Trojan for the Windows platform.
When first run Troj/Maha-T copies itself to:
<Root>\smartass.dat
<Windows>\cnssr.exe
and creates the following file:
<Windows>\sqlserver.dll
This file is detected as Troj/Maha-Gen
The following registry entries are created to run cnssr.exe on startup:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\b5700x drive
StubPath
<Windows>\cnssr.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
b5700x drive
<Windows>\cnssr.exe
The following registry entries are also created:
HKCU\Software\Microsoft\Internet Explorer\Main
FormSuggest PW Ask
no
HKCU\Software\Microsoft\Internet Explorer\Main
FormSuggest Passwords
no
HKCU\Software\Microsoft\Internet Explorer\Main
Use FormSuggest
no
HKCU\Software\Yahoo\Pager
Auto Login
0
HKCU\Software\Yahoo\Pager
Save Password
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
CLR
0
HKLM\SOFTWARE\Microsoft\Windows
winkthink
SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
HKLM\SOFTWARE\Microsoft\Windows
yobitch
b5700x drive
HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters
DisableSavePassword
1
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
DisableNotifications
1
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
EnableFirewall
0
Troj/Maha-T changes the following registry entry:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
disabledomaincreds
1
|
