high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | August 2005 (3.96) |
| Protection available since | 30 June 2005 06:37:10 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Progent-A is a backdoor Trojan for the Windows platform.
When first run, the Trojan displays the following message box:
Error
No Theme Editor 6600 In Your Computer
Troj/Progent-A includes functionality to:
- access the internet and communicate with a remote server via HTTP
- steal information and passwords from a number of games and applications
- send notification messages to remote locations
- log key presses
Troj/Progent-A will attempt to disable a number of anti-virus and security-related applications. The Trojan will attempt to hide its activity from the user.
When first run Troj/Progent-A copies itself to <Windows>\qservice.exe and creates the following files:
<Windows>\JiurlPortHide.sys
<Windows>\k_urlmon.dll - text file containing keylogs
<Windows>\kurlmon.dll
<Windows>\services.dll
<System>\HookApi.dll
<System>\drivers\KeenSense.sys - text file
<System>\drivers\ksdevice.sys - text file
The following registry entry is created to run qservice.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
qservices
<Windows>\qservice.exe
The file JiurlPortHide.sys is registered as a new system driver service named "JiurlPortHide", with a display name of "JiurlPortHide". Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\JiurlPortHide\
Troj/Progent-A sets the following registry entry, disabling the automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\srservice
Start
4
Troj/Progent-A may drop and run a file detected as Troj/LdPnch-Fam.
|
