high
Summary
Summary
Action- More Information
| Detected by | All Sophos products |
|---|---|
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
Please read the instructions for removing Trojans.
Renaming the registry editor
- Using Windows explorer, browse to the Windows folder (usually C:\Windows or C:\Winnt) right-click Regedit.exe and make a copy of it.
- Rename the copy of Regedit.exe to Regedit.scr.
- At the taskbar, click Start|Run. Type 'Regedit.scr' and press Return. The registry editor opens.
Editing the registry
You will need to edit the following registry entries, if they are present.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
HKEY_LOCAL_MACHINE
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
and remove any references to any files you deleted. Note: the entries may be in subfolders, remove the complete entry.
HKEY_USERS
The HKEY_USERS section will have to be edited for all users who ran the Trojan. Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entries:
HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run
HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\RunServices
and remove any references to any files you deleted.
HKEY_CLASSES_ROOT
Locate the following HKEY_CLASSES_ROOT entries:
HKCR\batfile\Shell\Open\Command
HKCR\comfile\Shell\Open\Command
HKCR\exefile\Shell\Open\Command
HKCR\piffile\Shell\Open\Command
Typically an unaltered registry entry will be set to
HKCR\???file\shell\open\command\
(default) = "%1" %*
the altered registry entry will be
HKCR\???file\shell\open\command\(
default) = C:\WINDOWS\<filename>.exe /exec:"%1" %*
delete only the text C:\WINDOWS\<filename>.exe /exec: where <filename> is the name of the Trojan file. Do not delete anything else.
Locate the following HKEY_CLASSES_ROOT entries:
HKCR\giffile\Shell\Open\Command
HKCR\htmlfile\Shell\Open\Command
HKCR\jpegfile\Shell\Open\Command
HKCR\txtfile\Shell\Open\Command
HKCR\Word.Document.?\Shell\Open\Command (where ? is any number or a blank)
Delete the Data within the entries. Delete only the Data, do not delete anything else.
Close the registry editor.
Editing other configuration files
At the taskbar, right-click Start and select Explore.
Search for System.ini in the Windows folder and open it in Notepad. Search for any references to the files you deleted. Delete the references.
Search for Win.ini in the Windows folder and open it in Notepad. Search for any references to the files you deleted. Delete the references.
Search for Wininit.ini in the Windows folder and open it in Notepad. Search for any references to the files you deleted. Delete the references.
Search for Winstart.bat in the Windows folder and open it in Notepad. (Note: this file is only present in early versions of Windows). Search for any references to the files you deleted. Delete the references.
Search for Autoexec.bat in the root directory and open it in Notepad. Search for any references to the files you deleted. Delete the references.
Reboot your computer.
More Information
Troj/Nettroj-A is a configurable and extensible backdoor Trojan. Infected hosts form a decentralised network that can be controlled by a malicious user.
When first executed the Trojan modifies several registry entries and INI files to become resident on the system. In particular the registry run entries Run, RunServices, RunOnce, RunOnceEx and RunServicesOnce below HKLM\Software\Microsoft\Windows\CurrentVersion are modified to point to the Trojan binary as are the Run and RunServices entries below HKCU\Software\Microsoft\Windows\CurrentVersion. The Shell\Open\Command entries for the txtfile, exefile, comfile, batfile, piffile, htmlfile, giffile, jpegfile and the Word.Document subentries below HKCR are similarly modified.
The system files Autoexec.bat, win.ini, system.ini, wininit.ini and winstart.bat are modified to start the Trojan.
In addition, the files .bat and a batch file with a non-Ascii filename are created in the Windows folder.
Troj/Nettroj-A attempts to connect to a list of IRC servers and tries to join a configurable channel. This IRC channel serves as the central communication and control channel for the backdoor network.
|
