high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | February 2006 (4.02) |
| Protection available since | 23 November 2005 17:57:04 (GMT) |
| Last updated | 9 January 2006 14:20:51 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please contact technical support.
More Information
Troj/Jupdrop-A is a dropper Trojan for the Windows platform.
Troj/Jupdrop-A may drop the empty file file werdsf to the Windows system folder.
Troj/Jupdrop-A may drop the files mspostsp.exe and msupdate32.dll to the Windows system or local application data folder. The file mspostsp.exe is detected as Troj/Jupdrop-A and the file msupdate32.dll is usually detected as a member of the Troj/Jupdow family.
If the files are dropped to the Windows system folder, the following registry entries are created to run code exported by msupdate32.dll on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\msupdate
DllName
msupdate32.dll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\msupdate
Startup
WinlogonStartupEvent
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\msupdate
Impersonate
0
If the files are dropped to the local application data folder, the following registry entry is created to run mspostsp.exe on startup:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<local application data>\mspostsp.exe"
Troj/Jupdrop-A then runs mspostsp.exe, which injects msupdate32.dll into the process explorer.exe.
|
