Troj/Webber-A

Please follow the instructions for removing Trojans.

Change any passwords that may have become compromised.

You will also need to edit the following registry entry, if it is present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad\Web Event Logger

and remove it if it exists.

Close the registry editor.

Troj/Webber-A is a backdoor Trojan with two components.

The loader component downloads the main part from a web address into the system folder and executes it.

The downloaded component is a password-stealing Trojan that attempts to extract sensitive information from several locations on the system and sends them to CGI scripts at another web address.

The downloaded component copies itself with a random name into the Windows system folder and drops and executes a DLL file (also with a random name) that runs the copy of the Trojan.

In order to be started automatically the Trojan creates the following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad\Web Event Logger

It also creates this registry entry:

HKLM\Software\Classes\CLSID\
79FA9088-19CE-715D-D85A-216290C5B738\InProcServer32\

The Trojan also functions as a web proxy.