high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | July 2005 (3.95) |
| Protection available since | 8 June 2005 12:52:13 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
Change any data that may have become compromised.
You should also check your Internet Explorer settings using Tools|Internet options|General for any modifications made by the Trojan.
More Information
Troj/Qukart-W is a password stealing Trojan for the Windows platform.
When first run Troj/Qukart-W copies itself to the Windows System folder with the name Odkiiljk.exe.
The Trojan drops two clean files named !apihook.txt and !apihook.bin to the root of the C: drive, a text file named xmzf2c.dll to the System folder; and a DLL with a random filename also to the System folder.
The following registry entry is created to run code exported by the dropped Trojan DLL on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ ShellServiceObjectDelayLoad
Web Event Logger
(7CFBACFF-EE01-1231-ABDD-416592E5D639)
The dropped DLL is registered as a COM object, creating registry entries under:
HKCR\CLSID\(7CFBACFF-EE01-1231-ABDD-416592E5D639)
Troj/Qukart-W changes settings for Microsoft Internet Explorer by modifying values under:
HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\
The following registry entries are set, affecting internet security:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
1601
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1601
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
1601
0
|
