Troj/Mdrop-CTW

Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Affected operating systems	Windows
Protection available since	29 July 2010 23:13:46 (GMT)
Detected by	All Sophos products

Free virus scan
Download a Sophos Security Scan

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing Trojans.

More Information

Summary
Action
More Information

Troj/Mdrop-CTW is a Trojan for the Windows platform.

Troj/Mdrop-CTW includes functionality to run automatically and access the internet and communicate with a remote server via HTTP.

Troj/Mdrop-CTW communicates via HTTP with the following locations:

irs . gov
91 . 216 . 122 . 60

When Troj/Mdrop-CTW is installed the following files are created:

<Windows>\inf\AcroIEHelper.dll
<Windows>\inf\alg.exe

The file alg.exe is registered as a new service named "WSALG2", with a display name of "Application Layer Gateway Service2". Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\WSALG2

The file AcroIEHelper.dll is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under:

HKCR\CLSID\{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\DownloadManager

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Sophos blogs

Troj/Mdrop-CTW

Summary

Action

More Information