high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 12 October 2005 13:30:24 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Telemot-A is a backdoor Trojan for the Windows platform.
Troj/Telemot-A allows a remote attacker to control the infected computer over a TCP connection.
When first run Troj/Telemot-A copies itself to <System>\chkdsk32.exe.
The file CHKDSK32.EXE is registered as a new system driver service named "Logical Disk Manager Users Service", with a display name of "Users service for disk management requests" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\Logical Disk Manager Users Service\
Troj/Telemot-A injects code into svchost.exe which listens for incoming TCP connections (by default on port 1070). An attacker connecting to this port will be given a shell from which they can run commands that will:
list or kill processes
transfer files
view and modify registry settings
reboot the infected computer
show system information
take screenshots
download and install an updated version of the Trojan
If run with sufficient rights Troj/Telemot-A will install itself as an application authorized by Window Firewall to communicate with the outside world.
|
