high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | December 2004 (3.88) |
| Protection available since | 27 October 2004 09:30:57 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Nano-A is a Windows keylogger Trojan that captures information and sends the information as a HTML file to a remote location via HTTP.
The Trojan will perform different actions under different Windows operating systems so as to run itself on computer restart.
Under Windows 9x, Troj/Nano-A modifies the WIN.INI file to run itself on computer restart:
[windows]
load=c:\windows\svchost.exe
The Trojan will also create the following registry entry to ensure that it auto-runs on computer restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
nano = %WINDOWS%\svchost.exe
Under Windows 9x, Troj/Nano-A captures and stores information in the following created registry entry:
HKLM\nano
Under Windows 2000/XP, Troj/Nano-A will create and register itself as a Windows service process so that it auto-runs on computer restart. The Trojan creates a Windows service named 'nano' with a display name of 'nano' and an accompanying description as 'Windows Service Engine'.
Troj/Nano-A also creates the following registry entries:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NANO
HKLM\SYSTEM\CurrentControlSet\Services\nano
The Trojan stores the captured information in the following created registry entry:
HKLM\SOFTWARE\nano
Troj/Nano-A will attempt to change the Microsoft Windows AutoUpdate settings to manual update by changing the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\
Auto Update\AUState = dword:00000001
|
