high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 17 March 2009 17:19:59 (GMT) |
| Last updated | 17 March 2009 19:32:59 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Merein-E is a Trojan for the Windows platform.
Troj/Merein-E includes functionality to access the internet and communicate with a remote server via HTTP.
When Troj/Merein-E is installed the following files are created:
<User>\Local Settings\Application Data\svchost.exe
<User>\ftpdll.dll
<System>\drivers\ctfmon.exe
<System>\ftpdll.dll
The files svchost.exe and ctfmon.exe are also detected as Troj/Merein-E. The files <System>\ftpdll.dll and <User>\ftpdll.dll are detected as Troj/Dloadr-BMT.
The following registry entries are created to run Troj/Merein-E on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ntuser
<System>\drivers\ctfmon.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
autoload
<User>\Local Settings\Application Data\svchost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ntuser
<System>\drivers\ctfmon.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
autoload
<User>\Local Settings\Application Data\svchost.exe
The file <System>\drivers\ctfmon.exe is registered as a service named "Schedule" (replacing any existing services named "Schedule"). Registry entries are created or modified under:
HKLM\SYSTEM\CurrentControlSet\Services\Schedule
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UIHost
logonui.exe
|
