high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | June 2008 (4.30) |
| Protection available since | 22 April 2008 19:05:15 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/PWS-ARA is a password stealing Trojan for the Windows platform.
When Troj/PWS-ARA is installed the following files are created:
<current folder>\chkdsk32.exe
<Windows>\svchost.exe
<System>\AUHook.dll
<System>\magent.exe
<System>\mdmi386.exe
<System>\mswapi.dll
<System>\winio32.sys
The following registry entries are created to run Troj/PWS-ARA on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
magent
<System>\magent.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IPv6 network support
<Windows>\svchost.exe
The file winio32.sys is registered as a system driver service with a startup type of automatic, creating registry entries under:
HKLM\SYSTEM\CurrentControlSet\Services\Windows Installer
The files AUHook.dll and mswapi.dll are registered as COM objects, creating registry entries under:
HKCR\CLSID\{e3a729da-eabc-df50-1842-dfd682644311}
HKCR\CLSID\{77770022-0D68-4D14-BF25-6747ACFA95DE}
The following registry entries are created to run code exported by AUHook.dll on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\reset6
DLLName
AUHook.dll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\reset6
Impersonate
1
The following registry entry is created to register mswapi.dll as a Browser Helper Object (BHO) for Microsoft Internet Explorer:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e3a729da-eabc-df50-1842-dfd682644311}
Registry entries are set as follows:
HKCR\Directory\shellex\ContextMenuHandlers\icqlite
(Default)
{77770022-0D68-4D14-BF25-6747ACFA95DE}
HKCR\*\shellex\ContextMenuHandlers\icqlite
(Default)
{77770022-0D68-4D14-BF25-6747ACFA95DE}
|
