high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 25 May 2005 00:58:09 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
The restarting of the main process by intmon.exe only works if the main Trojan file is named shnlog.exe.
Therefore, both processes can be terminated by changing the name of the file shnlog.exe, then terminating the shnlog.exe process.
intmon.exe will then terminate itself when it cannot find the main file to re-execute it. Both files can then be deleted and the registry cleaned.
After shnlog.exe has been cleared from the system, standard procedures can be used for disinfection of the other two components.
More Information
Troj/Puper-D is a browser hacking Trojan for the Windows platform.
When Troj/Puper-D is installed the following files are created:
<System>\hhk.dll
<System>\intmon.exe
<System>\hpXX.tmp - where XX denotes randomly generated characters.
Sophos Anti-Virus will detect each of these files as Troj/Puper-D, in addition to detecting the main file shnlog.exe.
In order to run itself on startup, the Trojan creates the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
paint.exe
shnlog.exe
Furthermore, intmon.exe monitors the main process, and restarts it if it is terminated. Meanwhile the main process restarts the monitoring process if it is terminated, and recreates the file intmon.exe if it is deleted.
Troj/Puper-D changes settings for Microsoft Internet Explorer, including Start Page and search settings, by modifying values under:
HKCU\Software\Microsoft\Internet Explorer\Main
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
HKCU\Software\Microsoft\Internet Explorer\Search
HKCU\Software\Microsoft\Internet Explorer\Main\Search Page
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
HKCU\Software\Microsoft\Internet Explorer\SearchUrl
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objecta\(FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objecta\(FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA)\(default)
Registry entries are also created under:
HKCR\CLSID\VMHomepage\
HKCR\CLSID\VMHomepage.1\
HKCR\VMHomepage.1\
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FASTUSERSWITCHINGCOMPATIBILITY\0000\Control\
HKLM\SYSTEM\CurrentControlSet\Enum\Root \LEGACY_NETMAN\0000\Control\
HKLM\SYSTEM\CurrentControlSet\Enum\Root \LEGACY_NLA\0000\Control\
HKLM\SYSTEM\CurrentControlSet\Enum\Root \LEGACY_RASMAN\0000\Control\
HKLM\SYSTEM\CurrentControlSet\Enum\Root \LEGACY_SSDPSRV\0000\Control\
HKLM\SYSTEM\CurrentControlSet\Enum\Root \LEGACY_TAPISRV\0000\Control\
HKLM\SYSTEM\CurrentControlSet\Enum\Root \LEGACY_TERMSERVICE\0000\Control\
The file hpXX.tmp is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\(FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA)
HKCR\CLSID\VMHomepage
HKCR\CLSID\(FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA)
HKCR\Interface\(1E1B2878-88FF-11D2-8D96-D7ACAC95951F)
HKCR\TypeLib\(1E1B286C-88FF-11D2-8D96-D7ACAC95951F)
HKCR\VMHomepage
|
