Troj/Spyjack-F

Aliases	Trojan.Win32.Small.ev Druogna
Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Affected operating systems	Windows
Characteristics	Installs itself in the registry
Included in our products from	March 2006 (4.03)
Protection available since	3 November 2005 21:34:45 (GMT)
Last updated	27 January 2006 03:13:48 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for removing Trojans.

More Information

Summary
Action
More Information

Troj/Spyjack-F is a Trojan for the Windows platform.

Troj/Spyjack-F includes functionality to download, install and run new software.

When Troj/Spyjack-F is installed the following files are created:

<Windows system folder>\intell32.exe
<Windows system folder>\oleext.dll
<Windows system folder>\oleext32.dll
<Windows folder>\uninstIU.exe
<Windows folder>\warnhp.html

The HTML file may be set as the background for Windows, and contains information alleging an infection. intell32.exe is used to display spurious infection alerts from the Windows task bar.

The following registry entry is created to run intell32.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
intell32.exe
<Windows system folder>\intell32.exe

Registry entries are set as follows:

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\2
Source
131A6951-7F78-11D0-A979-00C04FD705A2

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\2
SubscribedURL
131A6951-7F78-11D0-A979-00C04FD705A2

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\2
FriendlyName
Internet Explorer Channel Bar

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\2
Flags
3

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\2
CurrentState
1

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components
GeneralFlags
0

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0
CurrentState
40000002

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0
Flags
2002

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0
FriendlyName
Warning homepage

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0
Source
<Windows folder>\warnhp.html

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\1
CurrentState
40000004

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Update\

Troj/Spyjack-F provides an uninstall option which can be accessed via the Add or Remove Programs dialog in the Windows Control Panel. The software is listed as "Internet Update".

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Troj/Spyjack-F

Summary

Action

More Information