high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 13 July 2005 20:27:26 (GMT) |
| Detected by | All Sophos products |
Sophos beta program
- Endpoint Security and Control 9.0
- Small business solutions 4.0
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/PcClient-K is a Trojan for the Windows platform.
Troj/PcClient-K includes functionality to access the internet and communicate with a remote server via HTTP.
Troj/PcClient-K will contact a predefined URL and download data containing an IP address. The Trojan may then attempt to download and install further executables.
When first run Troj/PcClient-K copies itself to <Windows system folder>\Ykemml.exe and creates the following files:
<Windows system folder>\Ykemml.dll
<Windows system folder>\drivers\Ykemml.sys
The file Ykemml.sys is used for stealthing and is registered as a new system driver service named "Ykemml", with a display name of "Ykemml". Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\Ykemml\
The file Ykemml.exe is registered as a system driver service named "Schedule" (repacing any existing services named "Schedule"). Registry entries are created or modified under:
HKLM\SYSTEM\CurrentControlSet\Services\Schedule\
Registry entries are set as follows:
HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings
ProxyEnable
1
HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings
ProxyEnable
1
|
