high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | July 2008 (4.31) |
| Protection available since | 7 May 2008 23:18:28 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/VB-DZN is a Trojan for the Windows platform.
Troj/VB-DZN includes the functionality to:
- access the internet and communicate with a remote server via HTTP.
- disables Task Manager
- disables command prompt
- disables registry tools
- disables System Restore
- disables a number of security services
- disables Messenger
- opens and closes the CD tray
- resets the mouse buttons
- sets several user accounts for remote users to access the computer
When first run, Troj/VB-DZN may copy itself as one of the following names to the WIndows System folder:
csmm.exe
spoolsvr.exe
smsx.exe
regsvr.exe
userinit32.exe
volume.exe
regsvc.exe
update.exe
nvsvc.exe
The Trojan also creates the following files:
<Root>\nt.bat (detected as Troj/VB-DZN)
<System>\<random numbers>.dll (harmless fie that may be safely deleted)
Troj/VB-DZN creates the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoViewOnDrive
0x03ffffff
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
2
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system
DisableTaskMgr
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system
disableregistrytools
1
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions
NoBrowserOptions
1
HKCU\Software\Policies\Microsoft\Windows\System
DisableCMD
2
The Trojan also changes the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
"explorer.exe C:\\WINDOWS\\system32\\csmm.exe"
|
