high
Summary
Summary
Action- More Information
| Included in our products from | December 2004 (3.88) |
|---|---|
| Protection available since | 25 June 2004 14:49:31 (GMT) |
| Last updated | 22 October 2004 13:10:27 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please contact technical support.
More Information
Troj/CWS-C is an adware Trojan which changes browser settings and modifies
the HOSTS file, so that when the user attempts to connect to selected
websites they are redirected to an alternative site.
Troj/CWS-C may also launch web pages, including pages containing sexual
content.
When the installation executable for Troj/CWS-C is first run it adds
its pathname to one of the following new registry entries to run itself on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AddClass
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Host
The installation executable drops a DLL named dpe.dll (usually to the
Windows folder) and loads/registers this DLL via the command regsvr32 /s dpe.dll.
Registry entries are created under:
HKCR\CLSID\(834261E1-DD97-4177-853B-C907E5D5BD6E)
HKCR\Interface\(B1E68D42-02C4-465B-8368-5ED9B732E22D)
HKCR\Interface\(0B6EF17E-18E5-4449-86EA-64C82D596EAE)
HKCR\TypeLib\(BD0022A3-A43F-4F44-B64F-53EA7575F097)
HKCR\AnalyzeIE.DOMPeek.1
HKCR\AnalyzeIE.DOMPeek
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\(834261E1-DD97-4177-853B-C907E5D5BD6E)
Files named mstlb.exe, msalert.exe and dped.dll may be created in the
Windows or Windows system folders.
Troj/CWS-C may use one of these executables to display a fake dialog
containing the text "Microsoft windows - security alert", "SERIOUS SECURITY
VULNERABILITY HAS BEEN FOUND!". When the user clicks "Process with
select of protection software" Internet Explorer is launched with the link
www.security-look.cc/adware.
Dpe.dll modifies Internet Explorer settings by changing sub-keys of the
following registry entries:
HKCU\Software\Microsoft\Internet Explorer\Search
HKLM\Software\Microsoft\Internet Explorer\Search
HKCU\Software\Microsoft\Internet Explorer\SearchUrl
HKLM\Software\Microsoft\Internet Explorer\SearchUrl
HKCU\Software\Microsoft\Internet Explorer\Main\
HKLM\Software\Microsoft\Internet Explorer\Main
Registry values are set using spoof URL strings, for example:
HKLM\Software\Microsoft\Internet Explorer\Main\
Search Page = http://%68%6F%6D%65%70%61%67%65%2E%63%6F%6D
The following registry entries may also be set:
HKLM\Software\Microsoft\Windows\CurrentVersion\URL\
DefaultPrefix = http://%65%68%74%74%70%2E%63%63/?
HKLM\Software\Microsoft\Windows\CurrentVersion\URL\
Prefixes\www = http://%65%68%74%74%70%2E%63%63/?
HKCU\Software\Microsoft\Windows\Currentversion\
Internet Settings\Zones\3\1406 = 3
HKCU\Software\Microsoft\Windows\Currentversion\
Internet Settings\Zones\3\1A04 = 3
HKCU\Software\Microsoft\Windows\Currentversion\
Internet Settings\Zones\3\1A05 = 1
Troj/CWS-C may download and install/run updates of its software and
new components without notification that it is doing so.
Troj/CWS-C may also download COM DLLs and register them as Browser
Helper Objects for Microsoft Internet Explorer, creating registry entries under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\
Troj/CWS-C is typically installed as part of the installation for other 3rd
party software (typically shareware or freeware downloaded from the internet).
Note: On Windows operating systems the HOSTS file is normally installed to
one of the following locations:
WINNT\system32\drivers\etc\hosts
WINDOWS\system32\drivers\etc\hosts
WINDOWS\hosts
|
