Troj/Zikdow-B

Aliases	Trojan.JS.Zxdow VBS_Zikdow-Gen VBS/Regmess.A VBS.Winrun
Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Protection available since	7 June 2004 10:04:19 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing Trojans.

More Information

Summary
Action
More Information

Troj/Zikdow-B is a Trojan that hijacks Internet Explorer settings so that the home page and Search pages point to www.3241.com.

The Trojan is installed on the system when a user visits a web page that drops
two files, winsys.vbs and winsys.cer, into the folder
C:\$NtUninstallQ303030$ and launches winsys.vbs.

Troj/Zikdow-B then creates the new registry value
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WlN32

so that winsys.cer is imported into the registry during the next system boot.

Winsys.cer contains the registry values to redirect Internet Explorer to use www.3241.com as its home page and search page instead of the user-defined pages.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Troj/Zikdow-B

Summary

Action

More Information