high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Protection available since | 15 December 2005 23:12:20 (GMT) |
| Last updated | 6 January 2006 11:35:44 (GMT) |
| Detected by | All Sophos products |
Sophos beta program
- Endpoint Security and Control 9.0
- Small business solutions 4.0
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/PPdoor-Q is a backdoor Trojan for the Windows platform.
Troj/PPdoor-Q includes functionality to access the internet and communicate with a remote server via HTTP.
Troj/PPdoor-Q attempts to disable some security related processes.
When Troj/PPdoor-Q is installed some of the following files may be created:
<System>\dpnetmsg.exe
<System>\iueninet.dll
<System>\fsmgntfs.dll
<System>\ntmapast.dll
<System>\ir50psrv.exe
<System>\kbd1uery.dll
<System>\lfyockaa.dll
<System>\a15svcs.exe
<System>\dpnmdlib.exe
<System>\c_28usic.dll
<System>\atiysnpn.dll
<System>\treemqoa.dll
<System>\arptutdn.dll
<System>\eulapart.dll
<System>\smlo8thk.exe
<System>\odbcfwci.ime
<System>\hgakheg.dll
<System>\jkwbhew.dll
<System>\testtest.exe
These are data files which can be deleted.
The following registry entry is created to run code exported by the Trojan library on startup:
HKLM\SOFTWARE\Microsoft\Windows \CurrentVersion\ShellServiceObjectDelayLoad
Shedule WebControl
(371E1EE1-3C10-48BF-8C65-CEB88E8DBDA8)
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe,dpnetmsg.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<System>\dpnetmsg.exe
|
