high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | June 2005 (3.94) |
| Protection available since | 1 May 2005 14:46:29 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Stoped-A is a downloading Trojan for the Windows platform.
Troj/Stoped-A copies itself to the file regsrvc.exe in the Windows system folder and creates the following registry entry to run automatically at system restart or logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
regsrvc
<Windows system>\regsrvc.exe
The Trojan drops another file as comctldl.dll in the Windows system folder. This file is also detected as Troj/Stoped-A. This file is installed as a Microsoft Internet Explorer plugin by creating the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A4B66678-C8BA-61D3-9ED9-13309406392A}
HKCR\CLSID\{A4B66678-C8BA-61D3-9ED9-13309406392A}\InprocServer32
(Default)
<Windows system>\comctld.dll
These registry entries are recreated every few seconds.
Once the registry entries have been created, the Trojan opens an instance of Internet Explorer at the page "about:blank" in order to execute the dropped DLL.
Troj/Stoped-A accesses a preconfigured URL from which it downloads instructions on what to do next. These instructions can cause the Trojan to uninstall itself or download an updated version of itself to the temporary folder and execute it.
|
