Troj/Slsorve-A

Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Affected operating systems	Windows
Characteristics	Installs itself in the registry
Included in our products from	June 2005 (3.94)
Protection available since	11 May 2005 08:57:54 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for removing Trojans.

More Information

Summary
Action
More Information

Troj/Slsorve-A is a Trojan for the Windows platform. It downloads a file from the web and sends email to a remote address using its own SMTP engine. It terminates anti-virus related processes.

The Trojan creates a file called 'dela.dat', which is used to delete itself after execution from the local folder.

The Trojan creates the following registry entry to ensure it automatically executes during Windows startup.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
27
<Windows system folder>\slsorve.exe

The Trojan connects to the following URL:

http://www1.i3game.com/cstest3/login.asp

The URL was inaccessible at the time of writing.

The Trojan terminates the following anti-virus related processes:

assistse.exe
ccapp.exe
ccsetmgr.exe
defwatch.exe
dfvsnet.exe
eghost.exe
iparmor.exe
kav32.exe
kavpfw.exe
kavplus.exe
kavstart.exe
kavsvc.exe
kavsvcui.exe
kpfwsvc.exe
kpopmon.exe
kvapfw.exe
kvcenter.kxp
kvfw.exe
kvmonxp.kxp
kvsrvxp.exe
kvxp.kxp
kwatch.exe
kwatchui.exe
mailmon.exe
navw32.exe
netbargp.exe
nmain.exe
passwordguard.exe
pfw.exe
ravmon.exe
ravtimer.exe
rfw.exe
rtvscan.exe
teregpct.exe
vptray.exe

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Troj/Slsorve-A

Summary

Action

More Information