high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 29 November 2004 09:27:03 (GMT) |
| Last updated | 28 February 2005 08:37:38 (GMT) |
| Detected by | All Sophos products |
Sophos beta program
- Endpoint Security and Control 9.0
- Small business solutions 4.0
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Padodor-R is a backdoor Trojan which installs as a plugin for Microsoft Internet Explorer.
Troj/Padodor-R copies itself to the Windows system folder with a random 8-character filename consisting either of an uppercase letter followed by 7 lowercase letters or an uppercase letter, 5 lowercase letters and "32", using an EXE extension.
Troj/Padodor-R also drops a DLL component to the Windows system folder with a random 8-character filename in the same format but with a DLL extension. This DLL is detected as Troj/Padodor-R.
Troj/Padodor-R sets an entry at the following location in the registry to point to the dropped DLL:
HKLM\SOFTWARE\Classes\CLSID\[7CFBACFF-EE01-1231-ABDD-416592E5D639]
InProcServer32
Troj/Padodor-R also sets the following entry in the registry:
HKLM\SOFTWARE\Classes\CLSID\[7CFBACFF-EE01-1231-ABDD-416592E5D639]
InProcServer32\ThreadingModel
Apartment
Troj/Padodor-R sets the the following entry in the registry to run the DLL as a plugin for Internet Explorer:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Web Event Logger
[7CFBACFF-EE01-1231-ABDD-416592E5D639]
Troj/Padodor-R sets an entry at the following location in the registry:
HKLM\SOFTWARE\Microsoft\IE4
MGR
Troj/Padodor-R may drop the file XSLFDLNT.BAT to the Windows system folder or XSLFDL9X.BAT to the Windows folder. Troj/Padodor-R may try to delete the file CMD.PIF from the Windows system folder or the file COMMAND.PIF from the Windows folder.
Troj/Padodor-R may log user data to a file KENG32MK.DLL and to a random 8-character filename with a DAT extension in the in the Windows system folder.
Troj/Padodor-R periodically sends data to a remote website, currrently to a page hosted at http://www.somet.mes.dr.nk.com.
Troj/Padodor-R uses stealthing techniques to try to make it more difficult to detect and remove.
Sophos's anti-virus products include proactive protection technology, which can defend against new threats without requiring an update. Sophos customers have been protected against the main component of Troj/Padodor-R (detected as Padodor-Gen) since version 3.87.
|
