high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | February 2006 (4.02) |
| Protection available since | 11 January 2006 14:59:16 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Fusion-B is a backdoor Trojan for the Windows platform.
Troj/Fusion-B can log keypresses and email the results to a remote attacker. The Trojan includes functionality to access the internet and communicate with a remote server via HTTP.
When Troj/Fusion-B is installed the following files are created:
<Temp>\~dp1.dll
<Windows>\nwisse.exe
<Windows>\winspols.scr
<System>\emgfx.exe
<System>\svch0st.com
<System>\svchost.klg
The files nwisse.exe, winspols.scr, emgfx.exe, and svch0st.com are slightly modified copies of the original Trojan, and detected as Troj/Fusion-B. The file ~dp1.dll is also detected as Troj/Fusion-B.
svchost.klg is a data file and may safely be deleted.
The following registry entries are created to run emgfx.exe, nwisse.exe, winspols.scr and svch0st.com on startup:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\(tt9381D8F2-0288-11D0-9501-00AA00B911A5)
StubPath
<System>\emgfx.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
nwisse
<Windows>\nwisse.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe winspols.scr
(the default value for this registry entry is "Explorer.exe" which causes the Microsoft file <Windows>\Explorer.exe
to be run on startup).
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
System
<System>\SVCH0ST.com
|
