high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Included in our products from | March 2006 (4.03) |
| Protection available since | 20 January 2006 11:21:04 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/CashGrab-L is a password-stealing Trojan for the Windows platform.
Troj/CashGrab-L monitors internet browser windows for certain banking websites, attempting to steal information if it finds them. Troj/CashGrab-L may attempt to contact scripts on remote websites to send logged data.
Troj/CashGrab-L also contains browser redirecting functionality.
When Troj/CashGrab-L is installed some of the following files are created:
<System>\svchost.dll
<System>\winsetup.exe
<CurrentFolder>\setup.cmd
<System>\ierror.rep
<System>\svact\004.act
<System>\svact\011.act
<System>\svact\013.act
<System>\svskn\004.sns
<System>\svskn\011.sns
<System>\svskn\013.sns
<System>\wint.ini
<System>\winte.html
The file svchost.dll is also detected as Troj/CashGrab-L. The file winsetup.exe is detected as Troj/CashGrab-D.
The file setup.cmd is a clean file to delete some of the Troj/CashGrab-L files, first displaying them message "Microsoft has you" multiple times followed by "Microsoft has you - Complict!".
The other files are all clean log files and may deleted.
Troj/CashGrab-L may create some of the following folders:
<Root>\abrams
<System>\arcada
<System>\svact
<System>\svcontr
<System>\svskn
The file svchost.dll is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under:
HKCR\CLSID\(3A4E6FF3-BF59-446E-9DC8-731BCE2F349A)
HKCR\svchost.Update\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\(3A4E6FF3-BF59-446E-9DC8-731BCE2F349A)
|
