Sophos

Troj/Viran-B

Aliases
  • Trojan-PSW.Win32.Agent.dd
Category
Type
What to do
Prevalence low high

Summary

 
Affected operating systems Windows
Characteristics
  • Drops more malware
  • Installs itself in the registry
Protection available since 22 November 2005 01:13:08 (GMT)
Last updated 9 May 2007 21:06:38 (GMT)
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

More Information

Troj/Viran-B is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.

Troj/Viran-B includes functionality to access the internet and communicate with a remote server via HTTP.

When first run Troj/Viran-B copies itself to:

<Common Files>\System\lsass.exe
<System>\ctfmon.exe
<System>\userinit.exe

and creates the following files:

<System>\divx5.dll
<System>\h323.txt

The file divx5.dll is the stealthing component Troj/HideProc-K.

The Trojan modifies the system file sfc.dll or sfc_os.dll, depending on the operating system being run. This is part of an attempt to disable the Windows System File Checker. The Trojan may do this in order to make changes to further system files.

The following registry entries are created to run Troj/Viran-B on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Userinit
<Common Files>\system\lsass.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
CTFMON.EXE
<System>\ctfmon.exe

The following registry entry is changed to run userinit.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe

The following registry entry is set:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCDisable
ffffff9d

Registry entries are created under:

HKLM\SOFTWARE\

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer