Troj/Proxy-GG

Aliases	Trojan-Proxy.Win32.gg
Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary


Affected operating systems	Windows
Characteristics	Installs itself in the registry
Included in our products from	December 2005 (4.00)
Protection available since	15 September 2005 06:07:29 (GMT)
Last updated	31 October 2005 23:01:18 (GMT)
Detected by	All Sophos products

Troj/Proxy-GG is a proxy Trojan for the Windows platform. The Trojan allows a remote intruder to access the internet via the infected computer.

When Troj/Proxy-GG is installed the following files are created:

<CurrentFolder>\ <original Trojan filename>
<System>\inetinfo.exe
<System>\llsass.exe
<System>\lsmss.exe
<System>\mdm.exe

All created files are the same, the file includes functionality to access the internet and communicate with a remote server via HTTP.

The following registry entries are created to run inetinfo.exe, llsass.exe, lsmss.exe and mdm.exe on startup:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
run
mdm.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
lsmss.exe
lsmss.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
(default)
llsass.exe

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
inetinfo.exe

Get reports about the latest virus and spyware threats delivered to your computer