high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | November 2005 (3.99) |
| Protection available since | 2 September 2005 13:10:56 (GMT) |
| Last updated | 11 October 2005 19:50:10 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Cozdoor-C is a backdoor Trojan for the Windows platform.
Troj/Cozdoor-C includes functionality to access the internet and communicate
with a remote server via HTTP.
When first run Troj/Cozdoor-C copies itself to the Windows System folder with a
random filename eight letters long, and drops a DLL file also with a random name eight
letters long to the same folder. The DLL file contains the backdoor functionality of the Trojan.
The following registry entry is created to run code exported by the Trojan library on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ ShellServiceObjectDelayLoad
SysTray.Excn
(1722ECFF-4356-4f5b-B534-E67294FE75E9)
The DLL is registered as a COM object, creating registry entries under:
HKCR\CLSID\(1722ECFF-4356-4f5b-B534-E67294FE75E9)
Once running, the backdoor connects to a pre-specified website where it can
receive further commands.
Troj/Cozdoor-C changes settings for Microsoft Internet Explorer by modifying
values under:
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\
The Trojan also adds the following entries to the computers HOSTS file, to deny
access to the specified websites:
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads3.kaspersky-labs.com
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 download.mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 update.symantec.com
|
