Troj/Zarcry-A

Aliases	Trojan-Dropper.Win32.Small.we Trojan-Clicker.Win32.Redir.b
Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary


Affected operating systems	Windows
Characteristics	Drops more malware Installs itself in the registry
Protection available since	3 June 2005 12:55:11 (GMT)
Detected by	All Sophos products

Sophos beta program
Register now for our latest beta tests

Troj/Zarcry-A is a browser hijacking Trojan.

Troj/Zarcry-A will attempt to redirect web traffic intended for "google" to a predefined website.

When first run, Troj/Zarcry-A will create the following files:

<System>\rch.dll - Troj/Zarcry-A
<System>\rch32.dll - data file containing an encrypted URL
<System>\rdrlib.dll - Troj/Zarcry-A

Troj/Zarcry-A will attempt to inject code into other processes.

Troj/Zarcry-A will set the following registry entry:

HKCR\CLSID\(03B1C4D9-BC71-8916-38AD-9DEA5D213614)\InProcServer32
(default)
<System>\rch.dll

and one of the following registry entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\(03B1C4D9-BC71-8916-38AD-9DEA5D213614)

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\(03B1C4D9-BC71-8916-38AD-9DEA5D213614)

Get reports about the latest virus and spyware threats delivered to your computer