high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | September 2005 (3.97) |
| Protection available since | 12 July 2005 07:03:49 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Certif-F is a password stealing Trojan for the Windows platform.
Troj/Certif-F monitors system activity and collects user credentials typed into the windows of various online banking applications. This information is stored in files created by the Trojan with a .txt or .aes extension within the <Windows>\netscape folder which is also created by the Trojan.
When first run Troj/Certif-F copies itself to <System>\direct3d.exe and creates the following harmless files:
<Windows>\netscape\USER.txt.aes
<Windows>\netscape\<user>.txt
where <user> is the name of the user of the infected computer.
Troj/Certif-F will attempt to remove the following files along with any associated registry entries:
bluetooth.exe
directsnd.exe
dxdiag32.exe
dxdiags.exe
dxdrv.exe
mailman.exe
msdirect.exe
msn_explorer.exe
terraxp.exe
Troj/Certif-F will attempt to download and execute a file from a predefined URL via http. Stolen information will be uploaded to a predefined URL via ftp.
The following registry entry is created to run direct3d.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
direct3d.exe
<System>\direct3d.exe
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
pname
direct3d.exe
|
