high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 9 December 2005 22:02:20 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/YSpy-A is a contstructor Trojan for the Windows platform.
The Trojan contains the functionality to send the user information to a predefined email address, access the Internet, capture the keystokes, disable the task manager and registry editor.
When Troj/YSpy-A installs, a window will be shown with the title as 'Yahoo Spy Final Version' and ask the user to select the options to creates server.exe in the current folder. When server.exe runs, copies itself to <Windows folder>\msagent\update.exe and creates the following files:
<Windows system folder>\Decoder.dll
<Windows folder>\tcpctrl.exe
The following registry entries are created to run update.exe and tcpctrl.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
TCP/IP Checker
<Windows folder>\tcpctrl.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Windows Updater
<Windows folder>\msagent\update.exe
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<Windows folder>\tcpctrl.exe
The following registry entry is changed to run update.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe <Windows folder>\msagent\update.exe
(the default value for this registry entry is "Explorer.exe" which causes the
Microsoft file <Windows folder>\Explorer.exe to be run on startup).
The following registry entry is set, disabling the registry editor (regedit):
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
|
