Troj/Tompai-C

Aliases	Backdoor.Win32.Tompai.e
Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary


Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	3 August 2005 16:08:24 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Troj/Tompai-C is a Trojan for the Windows platform.

When first run Troj/Tompai-C copies itself to:

<System>\loadms.exe
<System>\loadmsnt.exe
<System>\mainsv.exe

Troj/Tompai-C will open a backdoor on the infected system and report the infection by contacting a predefined URL and via email.

Troj/Tompai-C provides a remote user with the functionality to:

- access folders
- change attributes of files/folders
- delete files
- execute files
- shutdown the infected computer

The following registry entries are created to run loadms.exe and mainsv.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Cmpnt
<System>\mainsv.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Cmpnt
<System>\loadms.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce
Cmpnt
<System>\mainsv.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Cmpnt
<System>\mainsv.exe

Get reports about the latest virus and spyware threats delivered to your computer