high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | June 2005 (3.94) |
| Protection available since | 9 May 2005 14:06:14 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
You should also check your Internet Explorer settings using Tools|Internet options|General for any modifications made by the Trojan.
More Information
Troj/Puper-A is a browser-hijacking Trojan.
When the Trojan is installed the following files are created:
<SYSTEM>\hhk.dll
<SYSTEM>\intmon.exe
<SYSTEM>\hp<random characters>.TMP
The last of these files is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer, with registry entries created under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\[FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF]
HKCR\CLSID\VMHomepage\
HKCR\CLSID\[FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF]
HKCR\Interface\[1E1B2878-88FF-11D2-8D96-D7ACAC95951F]
HKCR\TypeLib\[1E1B286C-88FF-11D2-8D96-D7ACAC95951F]
In order to run itself on startup, the Trojan creates the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\explorer\run
paint.exe
shnlog.exe
The Trojan changes settings for Microsoft Internet Explorer, including Start Page and search settings, by modifying values under:
HKCU\Software\Microsoft\Internet Explorer\Main\
HKCU\Software\Microsoft\Internet Explorer\Search\
HKCU\Software\Microsoft\Internet Explorer\SearchUrl\
Registry entries are also created under:
HKCR\CLSID\VMHomepage\
HKCR\CLSID\VMHomepage.1\
HKCR\VMHomepage\
HKCR\VMHomepage.1\
|
