Troj/Oblivion-B

Category	Viruses and Spyware
Type	Trojan
What to do	Please contact support for assistance with removal.

Summary

Summary
Action
More Information


Detected by	All Sophos products

Action

Summary
Action
More Information

Please read the instructions for removing Trojans.

Windows 95/98/Me and Windows NT/2000

After you have deleted the Trojan files you will need to edit the changed registry keys and edit the win.ini and system.ini files.

At the Windows taskbar, select Start|Run. Type 'Regedit' and press return. The registry editor will open.

Before you edit the registry, you should make a backup. In the Registry menu, click on Export Registry File, in Export Range select All, then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE key:

HKLM\Software\Microsoft\Windows\CurrentVersion \Run\Default web browser

and delete the reference to 'iexpIore.exe'.

Locate the HKEY_LOCAL_MACHINE key:

HKLM\Software\Microsoft\Windows\CurrentVersion \RunServices\Default web browser

and delete the reference to 'iexpIore.exe'.

Locate the HKEY_LOCAL_MACHINE key:

HKLM\Software\Microsoft\Active Setup \Installed Components\Default web browser\StubPath

and delete the reference to 'iexpIore.exe'.

Close the Registry Editor.

Edit the system.ini file, which can be found in the Windows directory, using Notepad. Search for the reference to 'iexpIore.exe' in the 'shell=' line in the [Boot] section of the file. Delete the reference to 'iexpIore.exe'.

Similarly, edit the win.ini file (also in the Windows directory) using Notepad. In the [windows] section, search for the entries 'load=iexpIore.exe' and 'run=iexpIore.exe'. Delete them.

Restart your computer.

More Information

Summary
Action
More Information

Troj/Oblivion-B is a backdoor Trojan that allows others remote access to your computer over a network. It copies itself to the Windows System directory as iexpIore.exe, and sets the registry keys

HKLM\Software\Microsoft\Windows\CurrentVersion \Run\Default web browser

HKLM\Software\Microsoft\Windows\CurrentVersion \RunServices\Default web browser

HKLM\Software\Microsoft\Active Setup \Installed Components\Default web browser\StubPath

to all point to the executable.

It also changes the entry shell= in the [boot] section of system.ini to "explorer.exe iexpIore.exe", and adds new ini entries load=iexpIore.exe and run=iexpIore.exe in the [windows] section of win.ini.

It uses ICQ and IRC channels to notify the sender of activation.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Troj/Oblivion-B

Summary

Action

More Information