high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 17 November 2005 21:28:39 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Spywad-I is a Trojan for the Windows platform.
Troj/Spywad-I copies itself to the file <Root>\winstall.exe and sets the following registry entry to run itself on system startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows installer
<Root>\winstall.exe
Troj/Spywad-I periodically displays fake warning messages in the Windows taskbar with the title "Your computer is infected" and the following message text:
Windows has detected spyware infection!
It is recommended to use special antispyware tools to prevent data loss.
Windows will now download and install the most up-to-date antispyware for
you.
Click here to protect your computer from spyware!
Troj/Spywad-I attempts to download a file to <Program Files>\SpySheriff\SpySheriff.exe and may set the following registry entry to run it on system startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
pro
Troj/Spywad-I also attempts to download a file to <AppData>\Install.dat.
Troj/Spywad-I may also create the files <Program Files>\SpySheriff\SpySheriff.dvm and <Windows folder>\desktop.html, both of which are non-malicious and can be safely deleted.
The file <Windows folder>\desktop.html contains the following fake warning message:
Your system is infected with spyware. Windows recommends you to use a
spyware removal tool to prevent loss of important data and increase system
prefomance. Using this PC before having it cleaned from spyware threats is
highly discouraged.
Troj/Spywad-I may set the following registry entries in order to set <Windows folder>\desktop.html as the Desktop wallpaper:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
NoChangingWallpaper
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
NoComponents
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
NoAddingComponents
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
NoDeletingComponents
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
NoEditingComponents
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
NoHTMLWallPaper
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoActiveDesktop
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
ClassicShell
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
ForceActiveDesktopOn
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Wallpaper
<Windows folder>\desktop.html
HKCU\Software\Microsoft\Internet Explorer\Desktop\General
WallpaperStyle
2
HKCU\Software\Microsoft\Internet Explorer\Desktop\General
TileWallpaper
0
HKCU\Software\Microsoft\Internet Explorer\Desktop\General
ComponentsPositioned
2
HKCU\Software\Microsoft\Internet Explorer\Desktop\General
WallpaperFileTime
<file time installed>
HKCU\Software\Microsoft\Internet Explorer\Desktop\General
WallpaperLocalFileTime
<file time installed>
HKLM\SOFTWARE\Microsoft\Internet Explorer\Desktop\General
WallpaperFileTime
<file time installed>
HKLM\SOFTWARE\Microsoft\Internet Explorer\Desktop\General
WallpaperLocalFileTime
<file time installed>
Troj/Spywad-I may delete the following registry value:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDesktop
Registry entries may also be created under:
HKCU\Software\Install\
Troj/Spywad-I may attempt to close certain notification windows related to anti-virus and security programs.
Troj/Spywad-I may not run completely if it finds either of the following files:
<Program Files>\SpywareNo\SpywareNo.exe
<Program Files>\SpySheriff\SpySheriff.exe.
|
