high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | December 2005 (4.00) |
| Protection available since | 21 December 2004 10:32:41 (GMT) |
| Last updated | 17 October 2005 20:01:13 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Windows 2000
You will first need to prevent use of the following registry entry, if it is present. Please read the warning about editing the registry.
- At the taskbar, click Start|Run. Type 'REGEDT32' and press Return. The registry editor opens.
- Before you edit the registry, you should make a backup. Select the 'HKEY_LOCAL_MACHINE on local machine' window. Select 'HKEY_LOCAL_MACHINE'. On the 'Registry' menu, click 'Save Subtree As'. Save the registry subtree as Backup.
- Select SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
- Select \iexplore
- On the Security menu select 'Permissions'
- In 'Permissions for...' deselect 'Allow inheritable permissions from parent to propagate to this object'
- In the Security dialog, click 'Remove'
- Click 'OK'
- Click 'Yes' to deny everyone access to the key
- Close the registry editor.
Follow the Safe Mode with Command Prompt instructions for removing Trojans.
Re-open the registry editor to delete the Trojan registry entries.
- At the taskbar, click Start|Run. Type 'REGEDT32' and press Return. The registry editor opens.
- Select SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
- Select \iexplore
- On the Security menu select 'Permissions'
- In 'Permissions for...' select 'Allow inheritable permissions from parent to propagate to this object'
- Click 'OK'
- On the Edit menu select 'Delete'
- Click 'Yes' to delete the key
- Close the registry editor.
Windows XP/2003
You will first need to prevent use of the following registry entry, if it is present. Please read the warning about editing the registry.
- At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
- Before you edit the registry, you should make a backup. Select 'My Computer'. On the 'File' menu, click 'Export'. Save your registry as Backup.
- Select HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
- Right-click 'iexplore'
- Select 'Permissions'
- In the 'Permissions for...' dialog, click 'Advanced'
- In the 'Advanced Security Settings for...' dialog, deselect 'Inherit from parent the permission entries that apply to child objects.'
- In the Security dialog, click 'Remove'
- Click 'OK'
- Click 'Yes' to deny everyone access to the key
- Click 'OK'
- Close the registry editor.
Follow the Safe Mode with Command Prompt instructions for removing Trojans.
Re-open the registry editor to delete the Trojan registry entries.
- At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
- Select HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
- Right-click 'iexplore'
- Select 'Permissions'
- In the 'Permissions for...' dialog, click 'Advanced'
- In the 'Advanced Security Settings for...' dialog, select 'Inherit from parent the permission entries that apply to child objects.'
- Click 'OK' twice
- Right-click 'iexplore'
- Select 'Delete'
- Click 'Yes' to delete the key
- Close the registry editor.
Windows NT
Please contact technical support.
Other platforms
Please follow the instructions for removing Trojans.
More Information
Troj/Dloader-EW is a downloader Trojan for the Windows platform.
In order to hide its activity and bypass firewalls, Troj/Dloader-EW will inject downloading code into the following processes:
iexplore.exe
opera.exe
myie.exe
mozilla.exe
Under Windows NT-based systems (NT, 2000, XP), Troj/Dloader-EW has the ability to set the following registry entries in order to run automatically on system startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplore
DllName
<path to Trojan DLL>
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplore
Startup
expF4
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplore
Impersonate
1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplore
Asynchronous
1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplore
MaxWait
1
Under Win9x (95, 98, ME) systems, Troj/Dloader-EW has the ability to set the following registry entries in order to run automatically on system startup:
HKLM\System\CurrentControlSet\Control\MPRServices\TestService
DllName
<path to Trojan DLL>
HKLM\System\CurrentControlSet\Control\MPRServices\TestService
EntryPoint
expF4
HKLM\System\CurrentControlSet\Control\MPRServices\TestService
StackSize
<Number>
|
