high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 3 July 2009 18:46:59 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
When first run, Troj/Mdrop-CDP creates a DLL file on disk with a random name made of lowercase letters and numbers, with a .dIl extension ("dee", uppercase "eye", lowercase "ell").
The DLL file that is created is detected as Troj/CoreFlood-N. The DLL is created in the system folder. On computers with an NTFS filesystem, this DLL may be created as an Alternate Data Stream (ADS), typically an ADS of the system folder (eg, C:\Windows\system32:msxmc4.dIl).
The following registry entries are created to ensure Troj/CoreFlood-N is loaded when Windows starts, and when Explorer is run:
HKCR\CLSID\<random CLSID>\InprocServer32
<System>\<random lowercase name>.dIl
HKCR\CLSID\<random CLSID as above>
<random lowercase name as above>
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
<random lowercase name as above>
<random CLSID as above>
Troj/CoreFlood Trojans typically log keystrokes and attempt to steal passwords, including banking passwords. Additionally, Troj/CoreFlood Trojans typically act as backdoors, allowing a remote attacker access to the infected computer and control over it.
Randomly named .dat files with encrypted contents may be created in the same folder as the dropped DLL. These are harmless and can be deleted, but the default system folder often contains critical .dat files, so use caution.
|
