high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | May 2005 (3.93) |
| Protection available since | 21 March 2005 07:13:59 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
You will also need to edit the following registry entry, if it is present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
r_server
%SYSTEM%\SERVICE.EXE /service
and delete it if it exists.
Close the registry editor.
More Information
Troj/Multidr-CP is a Windows Trojan that drops files.
While running in the background as a service process, the Trojan drops two files in the Windows System folder with filenames AdmDll.dll and service.exe, which are legitimate remote server applications.
Troj/Multidr-CP creates the following registry entry so as to run the dropped file service.exe automatically on user logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
r_server
%SYSTEM%\SERVICE.EXE /service
The Trojan also installs the dropped file service.exe as a service in the registry with the following characteristics:
<servicename>
r_server
<displayname>
Remote Administrator Service
<imagepath>
%SYSTEM%\service.exe /service
Troj/Multidr-CP stores its own data in the following registry entry:
HKLM\System\RAdmin\v2.0\Server\Parameters
|
