high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | October 2006 (4.10) |
| Protection available since | 5 September 2006 13:33:24 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/DwnLdr-FHX is a Trojan for the Windows platform.
When first run Troj/DwnLdr-FHX copies itself to <Windows>\lsass.exe and creates
the file <System>\rdriv.sys.
The file rdriv.sys is detected as Troj/Rootkit-W.
The file lsass.exe is registered as a new system driver service named "lsass",
with a display name of "Local Security Authority Subsystem Service" and a
startup type of automatic, so that it is started automatically during system
startup. The process <Windows>\lsass.exe is hidden. Registry entries are created
under:
HKLM\SYSTEM\CurrentControlSet\Services\lsass\
The file rdriv.sys is registered as a new system driver service named "rdriv",
with a display name of "rdriv". Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\rdriv\
Troj/DwnLdr-FHX sets the following registry entries, disabling the automatic
startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\
|
