high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 23 May 2005 12:53:14 (GMT) |
| Detected by | All Sophos products |
Sophos beta program
- Endpoint Security and Control 9.0
- Small business solutions 4.0
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Zlob-C is a downloader Trojan on the Windows platform.
When run the Trojan drops the file msmsgs.exe into the Windows System folder and runs it. This file is also being detected by Sophos as Troj/Zlob-C. Troj/Zlob-C then performs the following 2 actions so that the Trojan is started during user logon:
creates the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
MSN Messenger
%SYSTEM%\msmsgs.exe
changes the following registry entry:
from:
HKLM\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe
to:
HKLM\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe, msmsgs.exe
Troj/Zlob-C creates the following registry entry so as to start itself whenever notepad.exe is being launched:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
notepad.exe
msmsgs.exe
Troj/Zlob-C also creates the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
uuid
<randomly generated UUID>
Once installed, Troj/Zlob-C attempts to ping remote websites as well as downloading files from remote websites to the %SYSTEM%\LOGFILES folder and run them. The Trojan then attempts to inject itself into the Windows Explorer process in order to stealth itself.
|
