high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 15 December 2004 14:48:12 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Padodor-S is a Trojan which installs an Internet Explorer plugin that changes Internet Explorer settings and tries to send information to a remote website over HTTP.
When run the Trojan creates the following files:
%SYSTEM%\<randomly named exe> (a copy of the Trojan)
%SYSTEM%\<randomly named dll> (the Internet Explorer plugin)
Troj/Padodor-S creates the following registry entries in order to register the Internet Explorer plugin so as to run itself:
HKLM\SOFTWARE\Microsoft\Windows
\CurrentVersion\ShellServiceObjectDelayLoad
Web Event Logger
(7EFBAEFF-EE02-1333-ABDF-416572E5D639)
HKCR\CLSID\(7EFBAEFF-EE02-1333-ABDF-416572E5D639)\InProcServer32
@
%SYSTEM%\<randomly named dll>
HKCR\CLSID\(7EFBAEFF-EE02-1333-ABDF-416572E5D639)\InProcServer32
Threading Model
Apartment
The Trojan also creates the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion
\Explorer\BrowseNewProcess
BrowseNewProcess
yes
HKCU\Software\Microsoft\Internet Explorer\Main
\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
iexplore.exe
dword:00000000
HKLM\SOFTWARE\Microsoft\IE4
MGR
+-engnchfn
HKCU\AppEvents\Schemes\Apps\Explorer\ActivatingDocument\.Current
Troj/Padodor-S then changes the Internet Explorer security settings for Internet Zones, creates a randomly named HTML file in the current user's Temporary Internet Files folder and opens this file with Internet Explorer in an attempt to send information to a remote website.
|
