Troj/Digidor-A

Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary


Affected operating systems	Windows
Characteristics	Installs itself in the registry
Included in our products from	September 2005 (3.97)
Protection available since	8 July 2005 21:29:42 (GMT)
Detected by	All Sophos products

Troj/Digidor-A is a backdoor Trojan for the Windows platform.

Troj/Digidor-A includes functionality to access the internet and communicate with a remote server via HTTP.

When first run Troj/Digidor-A copies itself to:

<Windows folder>\svohost.exe
<Windows system folder>\HDDGMom.exe
<Windows system folder>\lsasa.exe

Troj/Digidor-A also copies itself to several files in the <Windows folder>\temp folder

The following registry entries are created to run svohost.exe and HDDGMom.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ctfnom.exe
<Windows folder>\SVOHOST.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe HDDGMom.exe

The following registry entry is set or modified, so that lsasa.exe is run when files with extensions of TXT are opened/launched:

HKCR\txtfile\shell\open\command
(default)
<Windows system folder>\lsasa.exe "%1"

Get reports about the latest virus and spyware threats delivered to your computer