high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | July 2008 (4.31) |
| Protection available since | 2 June 2008 19:21:58 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Zapchas-EB is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.
When Troj/Zapchas-EB is installed the following malicious files are created:
<System>\drive\lmz.exe
<System>\drive\lmz1.bmp
<System>\drive\reg.dll
The files lmz.exe and lmz1.bmp are detected as Troj/Zapchas-DI and the file reg.dll is detected as Troj/Zapchas-CZ.
Troj/Zapchas-EB also installs mIRC in <System>\drive folder as calling.com and PrcView.exe as lam1.exe.
Troj/Zapchas-EB also drops the following PUAs in the <System>\drive folder:
daSniff
HideWindow
NirPassView
The following registry entry is created to run calling.com (mIRC) on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
msennger
<System>\drive\calling.com
The following registry entries are set or modified, so that calling.com is run when files with extensions of CHA and IRC are opened/launched:
HKCR\ChatFile\Shell\open\command
(default)
<System>\drive\calling.com" -noconnect
HKCR\irc\Shell\open\command
(default)
<System>\drive\calling.com" -noconnect
Registry entries are set as follows:
HKCR\ChatFile\DefaultIcon
(default)
<System>\drive\calling.com
HKCR\irc\DefaultIcon
(default)
<System>\drive\calling.com
|
