high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | September 2005 (3.97) |
| Protection available since | 19 June 2005 15:14:29 (GMT) |
| Last updated | 25 July 2005 14:27:53 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Mosuck-H is a backdoor Trojan which allows a remote intruder to gain access to and control over the computer.
Troj/Mosuck-H includes functionality to access the internet and communicate with a remote server via HTTP. The Trojan contains password stealing functionality.
Troj/Mosuck-H will attempt to prevent access to certain anti-virus websites.
When Troj/Mosuck-H is run, the following files are created:
<Windows>\ActiveXExe\<Random Letters>.exe - Troj/Mosuck-H
<Windows>\<Random Letters>burn2.exe - W32/Sdbot-ZO
<System>\<Random Letters>18\<Random Letters>srv.exe - Troj/Mosuck-H
The following registry entries are created to run Troj/Mosuck-H on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<username> config
<path to Trojan EXE>
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
<username> config
<path to Trojan EXE>
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
<username> config
<path to Trojan EXE>
Troj/Mosuck-H is also registered as a COM object, creating registry entries under the following:
HKCR\CLSID\(55F39C05-1707-44B4-ADBB-BD35B02AAF83)\
HKCR\Interface\(78DDD4B8-06B2-4E98-9615-783B5C02AE66)\
HKCR\TypeLib\(5D657BFC-12D1-458B-989E-4092D52D7F68)\
HKCR\protectedpasswords.Class1\
Troj/Mosuck-H will modify the HOSTS file in order to deny access to certain anti-virus websites.
|
