high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | June 2005 (3.94) |
| Protection available since | 12 April 2005 13:07:53 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Dropper-AT is a Trojan dropper.
When run the Trojan will display a fake error dialog and then drop spoolsvc.dll into the Windows system folder and create the following registry entry so as to auto-start the dropped component:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
spoolsvc
spoolsvc.exe
Troj/Dropper-AT will also place a modified version of itself into the Windows system folder as spoolsvc.exe.
The Trojan will also create the following registry entries so as to install the dropped component:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\spoolsvc
Asynchronous
0
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\spoolsvc
DllName
spoolsvc.dll
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\spoolsvc
Impersonate
0
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\spoolsvc
Lock
WLEvtLock
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\spoolsvc
Logoff
WLEvtLogoff
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\spoolsvc
Logon
WLEvtLogon
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\spoolsvc
Shutdown
WLEvtShutdown
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\spoolsvc
StartScreenSaver
WLEvtStartScreenSaver
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\spoolsvc
Startup
WLEvtStartup
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\spoolsvc
StopScreenSaver
WLEvtStopScreenSaver
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\spoolsvc
Unlock
WLEvtUnlock
Spoolsvc.dll is detected by Sophos as Troj/SCKeyLog-C.
|
