high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Included in our products from | July 2006 (4.07) |
| Protection available since | 19 May 2006 15:09:17 (GMT) |
| Last updated | 20 May 2006 22:29:14 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Oscor-B is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.
Troj/Oscor-B includes functionality to communicate with a remote server via http.
After the computer has been restarted, Troj/Oscor-B attempts to contact http://localhosts.3322.org.
Troj/Oscor-B includes a stealthing functionality. It hides:
The process
The file <system>\winguis.dll
The data in the registry entry
When first run Troj/Oscor-B copies itself to <Temp>\20060424.bak, deletes the original sample and creates the following files:
<System>\drivers\DetPort.sys
<System>\drivers\IsPubDrv.sys
<System>\drivers\RvdPort.sys
<System>\winguis.dll
The SYS files are empty and non-malicious.
When first run, Troj/Oscor-B also creates the service GUI30svr
Troj/Oscor-B injects itself in to all running processes and hooks the following APIs:
Kernel32.dll FindFirstFileW
FindNextFileW
Module32NewW
Psapi.dll EnumProcessModules
GetModuleFileNameW
Advapi32.dll EnumServicesStatusA
EnumServicesStatusW
RegEnumKeyA
RegEnumKeyExA
RegEnumKeyExW
RegEnumKeyW
RegEnumValueA
RegEnumValueExA
RegEnumValueExW
RegEnumValueW
RegQueryValueExA
RegQueryValueExW
RegSetValueExA
RegSetValueExW
Troj/Oscor-B creates a hidden instance of Internet Explorer to communicate with the remote server via http POST messages.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs
<System>\WINGUIS.DLL
|
