high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 10 February 2008 19:56:37 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Pushu-H is a downloader/installer for members of the Troj/Pushu-Gen family of Trojans.
Troj/Pushu-H typically arrives as an email attachment as part of a spamming campaign.
When Troj/Pushu-H is installed it creates the following stealthing component which Sophos Anti-Virus detects as Troj/Pushu-Gen:
<System>\drivers\runtime.sys
The file runtime.sys is registered as a new system driver service named "runtime". Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\runtime\
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RUNTIME\
Troj/Pushu-H replaces the following file with a rootkit component which Sophos Anti-Virus detects as Troj/Agent-GIS and/or Troj/Pushu-Gen:
<System>\drivers\secdrv.sys
Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\SecDrv\
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SECDRV\
Troj/Pushu-H may also attempt to download from a remote location by injecting code into Internet Explorer, sometimes downloading to the following location:
<Windows>\system32\<random number>_exception.nls
|
