high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 29 April 2005 22:06:19 (GMT) |
| Detected by | All Sophos products |
Sophos beta program
- Endpoint Security and Control 9.0
- Small business solutions 4.0
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/PcClient-R is a backdoor Trojan. Troj/PcClient-R is a backdoor Trojan.
Troj/PcClient-R will copy itself to the Windows system folder.
In order to run automatically each time a Windows session is started, Troj/PcClient-R will attempt to install itself over the existing service named "Schedule" The service has a display name of "Task Scheduler". Registry entries will be modified under the following registry branch:
HKLM\System\CurrentControlSet\Services\Schedule
In particular, the following registry entries will be modified:
HKLM\System\CurrentControlSet\Services\Schedule
ImagePath
<path to Trojan>
where the default value on a standard Windows XP installation is "%SystemRoot%\System32\svchost.exe -k netsvcs"
HKLM\System\CurrentControlSet\Services\Schedule
Type
110
where the default value on a standard Windows XP installation is "120"
Under Windows 9x systems, Troj/PcClient-R will set the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
<Trojan base filename>
<Windows system folder>\<Trojan filename>
Troj/PcClient-R may attempt to hide itself and bypass personal firewalls by loading DLL files from the WINLOGON.EXE processes.
|
