Sophos

Troj/Manifest-A

Aliases
  • W32.Manifest.Trojan
Category
Type
What to do
Prevalence low high

Summary

 
Affected operating systems Windows
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

Please follow the instructions for removing Trojans.

Please read the instructions for removing Trojans.

You will also need to edit the following registry entries.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Enumerate Service
= "C:\Program Files\Common Files\Services\wsys.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Folder Service
= "C:\<Program Files>\Common Files\Services\wssdtu.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Serv-U
= "C:\Program Files\Common Files\Services\wssdsu.exe"

and delete them if they exist.

Close the registry editor.

You may also wish to delete the non-Trojan files listed above and to install an unaltered version of XviD MPEG-4 Codec.

More Information

Troj/Manifest-A is a backdoor Trojan which allows unauthorised access of a computer from a remote location.

Troj/Manifest-A pretends to be an installation program for XviD MPEG-4 Codec. Upon execution, Troj/Manifest-A installs the above program but then drops the following files to the folder C:\<Program Files>\Common Files\Services:

wssdsu.exe
Bigfoot.bmp
Infospbz.bmp
Infospace.bmp
Swichbrd.bmp
Verisign.bmp
Whowhere.bmp
Yahoo.bmp

starr.ini
wsys.exe
wsys.dll
slog.sys

Serv-u.ini (detected as Troj/Manifest-A)
wssdsup.exe (detected as Troj/Manifest-A)
wssdtu.exe (detected as Troj/Manifest-A)

Troj/Manifest-A makes use of some legitimate software to allow unauthorised access and to monitor the victim computer, e.g. it makes use of an FTP server program along with an altered initialisation file Serv-u.ini which allows a remote intruder to upload or download files.

Troj/Manifest-A sets the following registry entries so that the Trojan and the legitimate software it uses are run on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Enumerate Service = "C:\Program Files\Common Files\Services\wsys.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Folder Service
= "C:\<Program Files>\Common Files\Services\wssdtu.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Serv-U
= "C:\Program Files\Common Files\Services\wssdsu.exe"

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer