high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 24 July 2008 15:23:18 (GMT) |
| Detected by | All Sophos products |
Sophos beta program
- Endpoint Security and Control 9.0
- Small business solutions 4.0
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Spy-AT is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.
Troj/Spy-AT includes functionality to access the internet and communicate with a remote server via HTTP.
When first run Troj/Spy-AT copies itself to:
<Startup>\userinit.exe
<User>\svchost.exe
<System>\drivers\services.exe
and creates the following files:
<User>\explorer.dll
<System>\explorer.dll
The following registry entries are created to run Troj/Spy-AT on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
[system]
<System>\drivers\services.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
winlogon
<User>\svchost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[system]
<System>\drivers\services.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
winlogon
<User>\svchost.exe
The following registry entry is changed to run Troj/Spy-AT on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<System>\drivers\services.exe
The file <System>\drivers\services.exe is registered as a service named "Schedule" (replacing any existing services named "Schedule"). Registry entries are created or modified under:
HKLM\SYSTEM\CurrentControlSet\Services\Schedule
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UIHost
logonui.exe
|
