Troj/Shed-A

Aliases	Trojan-Clicker.Win32.Small.fb
Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Affected operating systems	Windows
Characteristics	Drops more malware Installs itself in the registry
Protection available since	8 April 2005 21:08:43 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing Trojans.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad\

and remove any reference to any file you deleted.

Close the registry editor.

More Information

Summary
Action
More Information

Troj/Shed-A is a Trojan for the Windows platform.

Troj/Shed-A reduces internet security settings. Troj/Shed-A is a Trojan for the Windows platform.

Troj/Shed-A creates the following registry entries in order to run itself automatically at logon:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<word pair>
<Windows system folder>\bopotsvr.exe

HKCR\Classes\CLSID\<GUID>\InProcServer32\
default)
C:\\WINDOWS\\System32\\c_12atex.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ ShellServiceObjectDelayLoad
Shedule Address
<GUID>

where <GUID> is a randomly-generated sequence and <word pair> is a combination of any two words from the following list:

Internet
Security
Protocol
Meeting
Shedule
Explorer
Messenger
Browser
Component
Windows
Media
Player
Address
Themes
Update
Connection
Agent
WebControl
Network
Remote
Access
Terminal
Client

If run with sufficient rights Troj/Shed-A will install itself as an application authorised by Windows Firewall to communicate with the outside world.

Troj/Shed-A may attempt to download configuration files specifying further actions to take, including downloading and executing files.

Troj/Shed-A drops another file to the Windows temporary folder and runs it. This file (also detected as Troj/Shed-A) opens a hidden Internet Explorer window at a preconfigured URL after modifying internet security settings by changing the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1001
0

HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1004
0

HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1201
0

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Troj/Shed-A

Summary

Action

More Information