high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | October 2005 (3.98) |
| Protection available since | 18 August 2005 20:39:22 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/WinSpy-C is a multicomponent Trojan for the Windows platform.
The Trojan allows backdoor access to remote users. Troj/WinSpy-C can be instructed to perform various functions including:
sending email
displaying pictures
downloading/executing files
harvesting usernames and passwords (from Outlook, internet accounts, etc)
modifying the system registry
logging keypresses
listing/terminating processes
listing visited URLs
When Troj/WinSpy-C is installed the following files are created:
<Windows>\Outlook.exe
<Windows>\WinHandler.dll
<Windows>\dll32\services.exe
<Windows>\hpeg.dll
<Windows>\refsdm.dll
<System>\WinHandler.dll
<System>\aosmtp.dll
<System>\mswinsck.ocx
<Windows>\taskmgr.exe
<Windows>\uniner.exe
<Windows>\wsdll32.exe
where aosmtp.dll, hpeg.dll, mswinsck.ocx are legitimate clean applications, and
msconfig.exe, outlook.exe, rdesk.exe, services.exe, taskmgr.exe, unir.exe
uniner.exe and WinHandler.dll are Trojan components .
The following registry entry is created to run services.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NTSet32
<Windows>\dll32\services.exe
The following registry entry is set:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2
Registry entries are created under:
HKLM\SOFTWARE\NTSet\
|
