high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 18 September 2005 15:30:09 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Progent-B is a Trojan for the Windows platform with functionality to:
extract password information for email accounts
log key presses and applications opened
email passwords and other significant information to a remote user
download and execute further files from a remote website
deactivate some anti-virus utilities
When first run Troj/Progent-B copies itself to <Windows>\wins32.exe and creates the following files, detected by Sophos's anti-virus products as components of Troj/Progent-B:
<Windows>\kurlmon.dll
<Windows>\msehk.dll
<Windows>\qservice.exe
<Windows>\services.dll
<System>\HookApi.dll
Troj/Progent-B also creates the following files:
<Temp>\htmpl.htm
<Windows>\k_urlmon.dll (a text file logging window titles and key presses)
<System>\bszip.dll (a file from a commercial zip/compression utility)
Troj/Progent-B hooks into the operating system so that most of its files do not show in Windows Explorer. However they are visible in directory listings from a command prompt.
The following registry entries are created to run wins32.exe and qservice.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
sqservices
<Windows>\wins32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
qservices
<Windows>\qservice.exe
Troj/Progent-B also sets the following registry entry, disabling the automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\srservice
Start
4
|
