high
Summary
Summary
Action- More Information
| Included in our products from | November 2004 (3.87) |
|---|---|
| Protection available since | 25 March 2004 13:14:50 (GMT) |
| Last updated | 16 September 2004 10:01:08 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entry for each user who ran the virus. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export Range' panel, click 'All', then save your registry as Backup.
Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:
HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\ssgrate.exe= C:\WINDOWS\System32\irun4.exe.
and delete it if it exists.
Close the registry editor and reboot your computer.
More Information
Troj/Lohav-F is an email worm which sends itself via its own SMTP engine to addresses harvested from your hard disk.
In order to run automatically when Windows starts up Troj/Lohav-F creates the following registry entry:
HKU\Software\Microsoft\Windows\CurrentVersion\Run\ssgrate.exe
= C:\WINDOWS\System32\irun4.exe.
Troj/Lohav-F also sets the following registry entries:
HKU\Software\DateTime\uid = <number>
HKU\Software\DateTime\port = dword:00002b6d
HKU\Software\DateTime\r4dr = dword:00000001
Troj/Lohav-F opens up a backdoor on port 11117 and listens for connections. If it receives the appropriate command it attempts to download and execute a file.
Troj/Lohav-F also makes a web connection to a remote URL, thus reporting the location and open port of infected computers.
The worm terminates processes with the following names:
ATUPDATER.EXE
AVWUPD32.EXE
AVPUPD.EXE
LUALL.EXE
DRWEBUPW.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
UPDATE.EXE
NUPGRADE.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
MCUPDATE.EXE
NUPGRADE.EXE
OUTPOST.EXE
AVLTMAIN.EXE
Troj/Lohav-F gets the following files:
http://www.lowenbrau.ru/manager_old/images/ngr2.php
http://www.ctn.ru/marketing/images/ngr2.php
http://alfinternational.ru/old/oli-lack_katalog/ngr2.php
http://www.psnr.ru/rus/images/banners/ngr2.php
http://www.gasterixx.de/gfx/ngr2.php
http://www.deadlygames.de/DG/BF/BF-Links/clans/ngr2.php
http://www.o-problemo.de/gaestebuch/ngr2.php
http://www.tv87.de/subdomain_la/Fachwart/ngr2.php
http://www.ranknet.de/LVS/pics/_notes/ngr2.php
http://www.joerrens.de/system/include/crc.php
http://www.bbszene.de/store/images/video_amazon/ngr2.php
http://www.gebr-wachs.de/mod/san_beratung/thumb/ngr2.php
http://www.lords-of-havoc.de/Avatare/ngr2.php
http://comdat.de/kreta/ngr2.php
http://www.eurostretch.ru/ngr2.php
http://mir-auto.ru/ngr2.php
http://artesproduction.com/ngr2.php
http://www.hhc-online.de/home/links/pics/ngr2.php
http://gaz-service.ru/img/pict/ngr2.php
http://rdwufa.ru/img/pict/ngr2.php
http://www.komandor.ru/sessions/ngr2.php
http://www.mirage.ru/sport/omega/pic/omega/ngr2.php
http://www.komandor.ru/sessions/banlist.php
http://www.lowenbrau.ru/manager_old/images/banlist.php
http://www.ctn.ru/marketing/images/banlist.php
http://alfinternational.ru/old/oli-lack_katalog/banlist.php
http://www.psnr.ru/rus/images/banners/banlist.php
http://gaz-service.ru/img/pict/banlist.php
http://rdwufa.ru/img/pict/banlist.php
http://www.mirage.ru/sport/omega/pic/omega/banlist.php
|
