high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | November 2006 (4.11) |
| Protection available since | 6 December 2005 18:10:05 (GMT) |
| Last updated | 5 October 2006 13:10:24 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Spabot-E is a Trojan for the Windows platform.
Troj/Spabot-E drops the following files to the Windows system folder:
chp.dll
ddr64.dll
The file chp.dll is also detected as Troj/Spabot-E. The file ddr64.dll is a clean configuration file. If a file names chp.dll exists it may be moved to <System>\<random number>.dl_.
The file dropped as chp.dll is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under:
HKCU\Software\Classes\CLSID\
(429F4BB8-7BF7-4152-8011-3C6F9EB7E892)
HKCR\CLSID\(429F4BB8-7BF7-4152-8011-3C6F9EB7E892)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\(429F4BB8-7BF7-4152-8011-3C6F9EB7E892)
Troj/Spabot-E may set an entry at one of the following locations to run chp.dll:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
SharedTaskScheduler
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad
Troj/Spabot-E contacts a remote URL to download configuration data and to report that the computer is infected. The Trojan may attempt to download the following configuration files to the <Temp> folder:
upd.txt
url.sys
tsk.sys
body.dat
mailz.dat
Troj/Spabot-E may be configured to download a file from a remote website to <Temp>\file.exe and execute it.
Troj/Spabot-E may be used to send configurable spam emails.
Troj/Spabot-E may delete its main exe file by running a file it drop to <Temp>\zbz.bat.
Troj/Spabot-E creates regisry entries under the following key:
HKCU\Software\Microsoft\Internet Explorer\Security\
|
