high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 4 July 2005 06:00:08 (GMT) |
| Last updated | 20 October 2005 02:55:14 (GMT) |
| Detected by | All Sophos products |
Sophos beta program
- Endpoint Security and Control 9.0
- Small business solutions 4.0
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
and remove any reference to any file you deleted.
Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entries:
HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\
HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\RunOnce\
and remove any reference to any file you deleted.
Close the registry editor.
More Information
Troj/Tompai-B is a backdoor Trojan for the Windows platform.
When first run Troj/Tompai-B copies itself to mapserver.exe in the Windows folder and creates three copies of itself in the <system> folder. One of these copies will be called mainsv.exe and the others are chosen randomly from the following pairs of names:
cmpku.exe and cmpkunt.exe
netcompt.exe and netcomptnt.exe
ptsnopt.exe and ptsnoptnt.exe
ntdllf.exe and ntdllfnt.exe
The following registry entries are created to run the copies of the Trojan.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Ntcheck
<Windows>\mapserver.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Cmpnt
<System>\<random name>.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce
Cmpnt
<System>\mainsv.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Shell
<System>\mainsv.exe
Troj/Tompai-B changes settings for Microsoft Internet Explorer by modifying values under:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
The Trojan also changes the following registry values:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Hidden
0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
HideFileExt
0x00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
ShowSuperHidden
0x00000000
Troj/Tompai-B will open a backdoor on the infected system and report the infection by contacting a predefined URL and via email.
Troj/Tompai-B gives the following options to a remote user:
Access folder.
Access parent folder.
Change attribute of file/folder.
Change drive.
Delete any file.
Execute any file.
Force PC to Shut Down.
Get IP WAN.
Get the date/time of the server.
Get the list of commands supported by the server
Get the list of the directories.
Get the list of the files.
Logoff PC.
Logout from the server.
Reboot the PC.
Show the User.
|
