Troj/Spywad-E

Aliases	Downloader-AFH Trojan.Desktophijack Trojan-Clicker.Win32.Spywad.h
Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary


Affected operating systems	Windows
Characteristics	Installs itself in the registry
Included in our products from	November 2005 (3.99)
Protection available since	23 September 2005 06:28:47 (GMT)
Detected by	All Sophos products

Troj/Spywad-E is a downloader application for a spyware removal program.

Once run, Troj/Spywad-E copies itself to "C:\winstall.exe" and creates the following registry entry so as to run itself on user logon:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SNInstall
<path to application>

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows installer
C:\winstall.exe

Troj/Spywad-E attempts to create a file SpySheriff.dvm in the folder C:\Program Files\SpySheriff\.

Troj/Spywad-E also creates the following registry entries:

HKCU\Software\Reinstall

Troj/Spywad-E may make changes to the following registry entries:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
NoChangingWallpaper

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
NoComponents

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
NoAddingComponents

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
NoDeletingComponents

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
NoEditingComponents

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
NoHTMLWallPaper

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
NoDeletingComponents

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoActiveDesktop

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDesktop

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
ClassicShell

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
ForceActiveDesktopOn

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Wallpaper

HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\General
WallpaperStyle

HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\General
TileWallpaper

HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\General
ComponentsPositioned

HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\General
WallpaperFileTime

HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\General
WallpaperLocalFileTime

HKLM\SOFTWARE\Microsoft\Internet Explorer\Desktop\General
WallpaperFileTime

HKLM\SOFTWARE\Microsoft\Internet Explorer\Desktop\General
WallpaperLocalFileTime

Troj/Spywad-E then attempts to connect to a remote website and attempts to download a file and run it.

Get reports about the latest virus and spyware threats delivered to your computer