Troj/Netdeny-B

Aliases	Fantibag.B
Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Affected operating systems	Windows
Included in our products from	September 2005 (3.97)
Protection available since	4 July 2005 13:11:08 (GMT)
Last updated	20 July 2005 18:14:01 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for removing Trojans.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
firewall_anti
<windows>/firewall_anti.exe

and delete it if it exists.

Close the registry editor.

More Information

Summary
Action
More Information

Troj/Netdeny-B is a Trojan for the Windows platform.

When first run Troj/Netdeny-B copies itself to <windows>/firewall_anti.exe and creates the file <Windows>\firewall_anti.exe.dll. The file firewall_anti.exe.dll is also detected by Sophos as Troj/Netdeny-B.

The following registry entry is created to run firewall_anti.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
firewall_anti
<windows>/firewall_anti.exe

Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPFILTERDRIVER
NextInstance
00000001

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPFILTERDRIVER\0000
Class
LegacyDriver

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPFILTERDRIVER\0000
ClassGUID
(random ClassID)

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPFILTERDRIVER\0000
ConfigFlags
00000000

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPFILTERDRIVER\0000
DeviceDesc
IP Traffic Filter Driver

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPFILTERDRIVER\0000
Legacy
00000001

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPFILTERDRIVER\0000
Service
IpFilterDriver

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPFILTERDRIVER\
0000\Control
*NewlyCreated*
00000000

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPFILTERDRIVER\
0000\Control
ActiveService
IpFilterDriver

HKLM\SYSTEM\CurrentControlSet\Services\IpFilterDriver\Enum
0
Root\LEGACY_IPFILTERDRIVER\0000

HKLM\SYSTEM\CurrentControlSet\Services\IpFilterDriver\Enum
Count
00000001

HKLM\SYSTEM\CurrentControlSet\Services\IpFilterDriver\Enum
NextInstance
00000001

Once installed, Troj/Netdeny-B attempts to block internet access, specifically targeting access to the following security and adware related websites:

www.pandasoftware.com
pandasoftware.com
clamav.net
www.clamav.net
www.bitdefender.com
bitdefender.com
ravantivirus.com
www.ravantivirus.com
drweb.ru
www.drweb.com
drweb.com
antivir.de
www.antivir.de
kaspersky.ru
grisoft.com
www3.ca.com
www.viruslist.ru
www.viruslist.com
www.trendmicro.com
www.symantec.com
www.sophos.com
www.networkassociates.com
www.nai.com
www.my-etrust.com
www.mcafee.com
www.kaspersky.ru
www.kaspersky.com
www.kaspersky-labs.com
www.grisoft.com
www.fastclick.net
www.f-secure.com
www.awaps.net
www.avp.ru
www.avp.com
www.avp.ch
windowsupdate.microsoft.com
viruslist.ru
viruslist.com
vil.nai.com
us.mcafee.com
updates5.kaspersky-labs.com
updates4.kaspersky-labs.com
updates3.kaspersky-labs.com
updates2.kaspersky-labs.com
updates1.kaspersky-labs.com
updates.symantec.com
update.symantec.com
trendmicro.com
symantec.com
support.microsoft.com
spd.atdmt.com
sophos.com
service1.symantec.com
securityresponse.symantec.com
secure.nai.com
rads.mcafee.com
phx.corporate-ir.net
office.microsoft.com
networkassociates.com
nai.com
my-etrust.com
msdn.microsoft.com
media.fastclick.net
mcafee.com
mast.mcafee.com
liveupdate.symantecliveupdate.com
liveupdate.symantec.com
kaspersky.com
kaspersky-labs.com
ids.kaspersky-labs.com
go.microsoft.com
ftp.sophos.com
ftp.kasperskylab.ru
ftp.f-secure.com
ftp.downloads2.kaspersky-labs.com
ftp.avp.ch
fastclick.net
f-secure.com
engine.awaps.net
downloads4.kaspersky-labs.com
downloads3.kaspersky-labs.com
downloads2.kaspersky-labs.com
downloads1.kaspersky-labs.com
downloads.microsoft.com
downloads-us3.kaspersky-labs.com
downloads-us2.kaspersky-labs.com
downloads-us1.kaspersky-labs.com
downloads-eu1.kaspersky-labs.com
download.microsoft.com
download.mcafee.com
dispatch.mcafee.com
customer.symantec.com
clicks.atdmt.com
click.atdmt.com
www.ca.com
ca.com
banners.fastclick.net
banner.fastclick.net
awaps.net
avp.ru
avp.com
avp.ch
atdmt.com
ar.atwola.com
ads.fastclick.net
ad.fastclick.net
ad.doubleclick.net

Troj/Netdeny-B also injects itself to the Windows Shell_TrayWnd process to stealth itself.

Troj/Netdeny-B may be downloaded by the Bagle family of worms.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Troj/Netdeny-B

Summary

Action

More Information