high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | December 2005 (4.00) |
| Protection available since | 25 October 2005 08:55:03 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Flood-EU is a backdoor Trojan for the Windows platform.
When Troj/Flood-EU is installed the following files are created:
<Windows>\77804.reg
<Windows>\909376.reg
<Windows>\bear.txt
<Windows>\Con32.dll
<Windows>\connects
<Windows>\edih.dll
<Windows>\Kenan Uninstaller.exe
<Windows>\mirc.exe
<Windows>\remote.ini
<Windows>\up.reg
The file bear.txt is also detected as Troj/Flood-EU.
The file mirc.exe is a legitimate IRC application.
The following registry entry is created to run mirc.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Startup
mirc.exe
The following registry entries are set or modified, so that mirc.exe is run when files with extensions of CHA and IRC are opened/launched:
HKCR\ChatFile\Shell\open\command
(default)
<Windows>\mirc.exe" -noconnect
HKCR\irc\Shell\open\command
(default)
<Windows>\mirc.exe" -noconnect
Registry entries are set as follows:
HKLM\SOFTWARE\Kenan\Kenan
Uninstaller
<Windows>\Kenan Uninstaller.exe
HKCR\ChatFile\DefaultIcon
(default)
<Windows>\mirc.exe
HKCR\irc\DefaultIcon
(default)
<Windows>\mirc.exe
Registry entries are created under:
HKCU\Software\Microsoft\Microsoft Agent\
HKLM\SOFTWARE\Kenan\Kenan\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC\
Troj/Flood-EU provides an uninstall option for mirc.exe which can be accessed via the Add or Remove Programs dialog in the Windows Control Panel. The software is listed as "mIRC".
|
