high
Summary
Summary
Action- More Information
| Included in our products from | October 2003 (3.74) |
|---|---|
| Protection available since | 28 September 2003 09:47:16 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
Editing the registry
You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SPOOLSV
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\SPOOLSV
and delete them if they exist.
Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:
HKU\[code number]\Software\Microsoft\Windows\CurrentVersion\Run\
SPOOLSV
and delete it if it exists.
Close the registry editor.
Editing Win.ini
At the taskbar, click Start|Run and type Sysedit. Bring Win.ini to the front. In the [windows] section, search for a line beginning with 'Run=' and delete any references to the files you removed. Delete only that reference, not any other text.
Reboot your computer.
More Information
Troj/Graybird-A is a backdoor Trojan. When run on a victim's computer that computer will become vulnerable to unauthorised access attacks.
Troj/Graybird-A copies itself to the Windows system folder with the filename spoolsv.exe and sets the following registry entries so that the Trojan is run when Windows starts up:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SPOOLSV
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\SPOOLSV
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SPOOLSV
A 'Run' entry will be added to the file win.ini which will also cause the Trojan to be run when Windows starts up.
The Trojan may be distributed in an email with the following characteristics:
Subject line: updated
Message text: Dear customer:
At 11:34 A.M. Pacific Time on August 13, Microsoft began investigating a worm reported by Microsoft Product Support Services (PSS). A new worm commonly known as W32.Blaster.Worm has been identified that exploits the vulnerability that was addressed by Microsoft Security Bulletin MS03-026.
Download the attached update program. To begin the download process, do one of the following:
To download the attached program to your computer for installation at a later time, click Save or Save this program to disk.then run it. If you have any problem, connect to us immediately.
Attached file: 03-26updated.exe
|
