high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | November 2005 (3.99) |
| Protection available since | 12 September 2005 21:24:54 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Dcmbot-E is a Windows backdoor Trojan. The Trojan contains backdoor functions that allows unauthorized remote access to the infected computer while running in the background.
When first run Troj/Dcmbot-E copies itself to <Windows system folder>\config\service.exe and creates the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Service Process
<Windows system folder>\config\smss.exe
Once installed the Trojan sets up a listening server awaiting instructions from a remote intruder and injects itself into the Windows Explorer process to stealth itself.
Troj/Dcmbot-E may attempt to send itself to remote IP addresses via FTP as the filename svchost.exe.
Once an appropriate remote command is received, the Trojan can perform the following functions:
steal email account information from Microsoft Internet Account Manager including POP3 settings and passwords
download and run files from the Internet
perform denial of service (DoS) attacks
steal information from banking related sites visited
Troj/Dcmbot-E may also create the following files:
C:\CLIENT.TXT
C:\CLIENTSEND.BIN
C:\CLIENTRECV.BIN
<Windows folder>\HOSTS.DLL
<Windows system folder>\OPTIONS.DLL
These files are not malicious and can be safely deleted.
|
