Troj/Dloadr-TG

Category	Viruses and Spyware
Type	Trojan
What to do	Please contact support for assistance with removal.
Prevalence	low high

Summary


Affected operating systems	Windows
Characteristics	Installs itself in the registry
Included in our products from	June 2006 (4.06)
Protection available since	10 April 2006 20:07:30 (GMT)
Detected by	All Sophos products

Troj/Dloadr-TG is a Trojan for the Windows platform.

Troj/Dloadr-TG includes functionality to download, install and run new software.

Troj/Dloadr-TG may also log key presses and steal information.

When Troj/Dloadr-TG is installed, the Trojan attempts to download the following files from a remote site and run them:

<Windows folder>\Messenger.exe
<Windows folder>\Update.exe
<Windows folder>\Version.txt

At the time of writing, these files were unavailable for download.

The following registry entry is created to run Messenger.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Yahoo!!!
<Windows folder>\Messenger.exe

Troj/Dloadr-TG changes the Start Page for Microsoft Internet Explorer by setting the registry entry:

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page

The following registry entry is set, disabling the registry editor (regedit):

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

Registry entries are created under:

HKCU\Software\Yahoo\pager\View\YMSGR_Launchcast\
HKCU\Software\Yahoo\pager\View\YMSGR_buzz\

Get reports about the latest virus and spyware threats delivered to your computer