high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 4 July 2005 06:00:08 (GMT) |
| Last updated | 20 October 2005 02:55:14 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
Change any data that may have become compromised.
More Information
Troj/Wollf-A is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.
When first run Troj/Wollf-A copies itself to <System>\mshms.exe.
The file mshms.exe is registered as a new system driver service named "Hardware Monitor", with a display name of "Hardware Monitor Service" and a startup type of automatic, so that it is started automatically during system startup.
Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\Hardware Monitor\
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HARDWARE_MONITOR\
Troj/Wollf-A also changes the following registry entry from its default Windows setting:
from
HKLM\SYSTEM\CurrentControlSet\Control\ServiceCurrent
(default)
00000007
to:
HKLM\SYSTEM\CurrentControlSet\Control\ServiceCurrent
(default)
00000008
Troj/Wollf-A includes functionality to:
- create a FTP/Telnet server
- sniff network packets
- steal confidential information
- provide a proxy server
- display message boxes
- create/delete folders and files
- shutdown/reboot Windows on the infected computer
- inject its code into other processes
- disable other applications and services
- silently download, install and run new software, including updates of its software
|
