high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 25 April 2005 21:33:31 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
<random three letter key name>
<path to Trojan>
and delete it if it exists.
Close the registry editor.
More Information
Troj/Spywad-C is a Trojan for the Windows platform.
Troj/Spywad-C displays an HTML file that claims the system is infested with spyware, in an attempt to lure the user into visiting certain websites. The Trojan also installs itself in such a way as to consume considerable system resources.
The HTML files dropped by the Trojan contain the following text:
DANGER: SPYWARE
Full system scan results:
3 Spyware infections
27 Spyware tracks
95 Adult-oriented websites tracks
3 Programs with probable keylogging activity
Windows recommends you the following software products to keep your PC safe
The Trojan may also open websites that claim to sell anti-spyware products.
Troj/Spywad-C copies itself to the Windows folder and the Windows system folder many times under three letter random filenames with EXE extensions. These copies may overwrite existing system files with three letter names. The Trojan sets each copy to be run on startup by creating registry entries of the following form:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
<random three letter key name>
<path to Trojan>
The Trojan drops three HTML files in the Windows folder, two as DESKTOP.HTML and POPUP.HTML and one as a random three letter filename with an HTML extension. The Trojan attempts to set DESKTOP.HTML as the Windows Wallpaper, making registry changes in the following locations:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\General
HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\SafeMode\General
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
HKCU\Control Panel\Desktop
HKLM\SOFTWARE\Microsoft\Internet Explorer\Desktop\General
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User shell folders
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User shell folders
|
