high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | November 2005 (3.99) |
| Protection available since | 29 September 2005 22:36:11 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Radium-A is a backdoor Trojan for the Windows platform.
Troj/Radium-A allows a remote attacker to control the infected computer over a TCP connection. Troj/Radium-A is a backdoor Trojan for the Windows platform.
When first run Troj/Radium-A copies itself to:
<System>\HelpSvc.exe
<System>\ntr.sys
and creates the following files:
<System>\ldr.dll
<System>\msp.dll
The file ldr.dll is registered as a COM object, creating registry entries under:
HKCR\CLSID\(FF00E8A3-2BE6-11D2-8003-92E340524100)
The following registry entry is created to run code exported by the Trojan library on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ ShellServiceObjectDelayLoad
WebCheck
(FF00E8A3-2BE6-11D2-8003-92E340524100)
If run with sufficient rights Troj/Radium-A will install itself as an application authorized by Windows Firewall to communicate with the outside world.
Troj/Radium-A listens on a TCP port (8192 by default) for incoming connections. An attacker connecting to this port can take control of the infected computer, performing any of the following actions:
transfer and delete files
list and kill running processes
execute arbitrary commands
take screenshots
hide desktop icons, the taskbar and the start button
open and close the CD tray
change the number of the TCP port on which to listen
shutdown and restart the computer
|
