Antivirus and Security Software from Sophos

Sophos blogs

Troj/Padodor-T

Aliases
  • TROJ_PADODOR.AM
Category
Type
What to do
Prevalence low high

Summary

 
Affected operating systems Windows
Characteristics
  • Installs itself in the registry
Protection available since 18 January 2005 13:41:02 (GMT)
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

More Information

Troj/Padodor-T is a backdoor Trojan for the Windows platform that also may function as a proxy.

When executed Troj/Padodor-T moves itself to the Windows system folder with a random filename and drops a dll component to the Windows system folder, also randomly named, which is similar to the following examples:

Mhflcm32
Ihpkfpih

Troj/Padodor-T installs a DLL as an Internet Explorer plugin.

Troj/Padodor-T also creates a keng32mk.dll text file and a randomly named batch file that deletes the runnig executable and itself after the Trojan copy is created.

Troj/Padodor-T sets the following registry entries:

HKCU\AppEvents\Schemes\Apps\Explorer\ActivatingDocument\.Current\
HKCU\AppEvents\Schemes\Apps\Explorer\ActivatingDocument\.Current\@ = ""
HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\

HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\
FEATURE_LOCALMACHINE_LOCKDOWN\

HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\
FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = dword:00000000

HKCR\CLSID\%7CFBACFF-EE01-1231-ABDD-416592E5D639%\
HKCR\CLSID\%7CFBACFF-EE01-1231-ABDD-416592E5D639%\
InProcServer32\

HKLM\SOFTWARE\Classes\CLSID\%7CFBACFF-EE01-1231-ABDD-
416592E5D639%\InProcServer32\@
"name2.dll"

HKCR\CLSID\%7CFBACFF-EE01-1231-ABDD-416592E5D639%\
InProcServer32\ThreadingModel
"Apartment"

HKLM\SOFTWARE\Microsoft\IE4\
MGR
"SOPLETEK-ciliicdg"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellService
ObjectDelayLoad\Web Event Logger
"%7CFBACFF-EE01-1231-ABDD-416592E5D639%"

Troj/Padodor-T may modify registry entries under the following entries:

HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current\@
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\

Sophos's anti-virus products include proactive protection technology, which can defend against new threats without requiring an update. Sophos customers have been protected against Troj/Padodor-T (detected as Troj/Padodo-Gen) since version 3.87.

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer