Troj/Lohav-N

Category: Viruses and Spyware
Type: Trojan
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Lohav-N is a backdoor proxy Trojan.

Troj/Lohav-N may arrive with a filename of SPYKILLER.EXE as part of an email with the following text:

"Dear user <email address>

Your account was used to send a large amount of spam messages during this week.
Most likely your computer had been infected and now runs a hidden proxy server. We recommend you to run the attached trojan killer software in order to keep your computer safe.

Regards,
Support Team"

Troj/Lohav-N may download and run members of the Troj/Padador family of Trojans. At the time of writing, Troj/Lohav-N downloads and runs Troj/Padodor-N.

When first run, Troj/Lohav-N copies itself to the Windows System folder as SCVHOST.EXE.

In order to run automatically each time Windows is started, Troj/Lohav-N sets the following registry entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
scvhost.exe = <SYSTEM>\scvhost.exe

HKCU\Software\Timeout\uid = <number>
HKCU\Software\Timeout\port = <listening port number>
HKCU\Software\Timeout\pid = <process identity number>

where the default listening port number is 7060.

Periodically, Troj/Lohav-N will attempt to register the infected machine with a number of websites.

Troj/Lohav-N may be used to route internet traffic from other computers via the proxy component and can be used to forward spam email.

Troj/Lohav-N will attempt to terminate the following security-related processes:

OUTPOST.EXE, NMAIN.EXE, NORTON_INTERNET_SECU_3.0_407.EXE, NPF40_TW_98_NT_ME_2K.EXE, NPFMESSENGER.EXE, NPROTECT.EXE, NSCHED32.EXE, NTVDM.EXE, NVARCH16.EXE, KERIO-WRP-421-EN-WIN.EXE, KILLPROCESSSETUP161.EXE, LDPRO.EXE, LOCALNET.EXE, LOCKDOWN.EXE, LOCKDOWN2000.EXE, LSETUP.EXE, CLEANPC.EXE, AVprotect9x.exe, CMGRDIAN.EXE, CMON016.EXE, CPF9X206.EXE, CPFNT206.EXE, CV.EXE, CWNB181.EXE, CWNTDWMO.EXE, ICSSUPPNT.EXE, DEFWATCH.EXE, DEPUTY.EXE, DPF.EXE, DPFSETUP.EXE, DRWATSON.EXE, ENT.EXE, ESCANH95.EXE, AVXQUAR.EXE, ESCANHNT.EXE, ESCANV95.EXE, AVPUPD.EXE, EXANTIVIRUS CNET.EXE, FAST.EXE, FIREWALL.EXE, FLOWPROTECTOR.EXE, FP-WIN_TRIAL.EXE, FRW.EXE, FSAV.EXE, AUTODOWN.EXE, FSAV530STBYB.EXE, FSAV530WTBYB.EXE, FSAV95.EXE, GBMENU.EXE, GBPOLL.EXE, GUARD.EXE, GUARDDOG.EXE, HACKTRACERSETUP.EXE, HTLOG.EXE, HWPE.EXE, IAMAPP.EXE, IAMAPP.EXE, IAMSERV.EXE, ICLOAD95.EXE, ICLOADNT.EXE, ICMON.EXE, ICSUPP95.EXE, ICSUPPNT.EXE, IFW2000.EXE, IPARMOR.EXE, IRIS.EXE, JAMMER.EXE, ATUPDATER.EXE, AUPDATE.EXE, KAVLITE40ENG.EXE, KAVPERS40ENG.EXE, KERIO-PF-213-EN-WIN.EXE, KERIO-WRL-421-EN-WIN.EXE, BORG2.EXE, BS120.EXE, CDP.EXE, CFGWIZ.EXE, CFIADMIN.EXE, CFIAUDIT.EXE, AUTOUPDATE.EXE, CFINET.EXE, NAVAPW32.EXE, NAVDX.EXE, NAVSTUB.EXE, NAVW32.EXE, NCINST4.EXE, AUTOTRACE.EXE, NDD32.EXE, NEOMONITOR.EXE, NETARMOR.EXE, NETINFO.EXE, NETMON.EXE, NETSCANPRO.EXE, NETSPYHUNTER-1.2.EXE, NETSTAT.EXE, NISSERV.EXE, NISUM.EXE, CFIAUDIT.EXE, LUCOMSERVER.EXE, AGENTSVR.EXE, ANTI-TROJAN.EXE, ANTI-TROJAN.EXE, ANTIVIRUS.EXE, ANTS.EXE, APIMONITOR.EXE, APLICA32.EXE, APVXDWIN.EXE, ATCON.EXE, ATGUARD.EXE, ATRO55EN.EXE, ATWATCH.EXE, AVCONSOL.EXE, AVGSERV9.EXE, AVSYNMGR.EXE, BD_PROFESSIONAL.EXE, BIDEF.EXE, Drvddll.exe, drvsys.exe, BIDSERVER.EXE, BIPCP.EXE, BIPCPEVALSETUP.EXE, BISP.EXE, BLACKD.EXE, BLACKICE.EXE, BOOTWARN.EXE, NWINST4.EXE, NWTOOL16.EXE, OSTRONET.EXE, OUTPOSTINSTALL.EXE, OUTPOSTPROINSTALL.EXE, PADMIN.EXE, PANIXK.EXE, PAVPROXY.EXE, DRWEBUPW.EXE, PCCIOMON.EXE, PCDSETUP.EXE, PCFWALLICON.EXE, PCFWALLICON.EXE, PDSETUP.EXE, PERISCOPE.EXE, PERSFW.EXE, PF2.EXE, AVLTMAIN.EXE, PFWADMIN.EXE, PINGSCAN.EXE, PLATIN.EXE, POPROXY.EXE, POPSCAN.EXE, PORTDETECTIVE.EXE, PPINUPDT.EXE, PPTBC.EXE, PPVSTOP.EXE, PROCEXPLORERV1.0.EXE, PROPORT.EXE, PROTECTX.EXE, PSPF.EXE, WGFE95.EXE, WHOSWATCHINGME.EXE, AVWUPD32.EXE, NUPGRADE.EXE, WHOSWATCHINGME.EXE, WINRECON.EXE, WNT.EXE, WRADMIN.EXE, WRCTRL.EXE, WSBGATE.EXE, WYVERNWORKSFIREWALL.EXE, XPF202EN.EXE, ZAPRO.EXE, ZAPSETUP3001.EXE, ZATUTOR.EXE, CFINET32.EXE, CLEAN.EXE, CLEANER.EXE, CLEANER3.EXE, CLEANPC.EXE, CMGRDIAN.EXE, CMON016.EXE, CPD.EXE, CFGWIZ.EXE, CFIADMIN.EXE, PURGE.EXE, PVIEW95.EXE, QCONSOLE.EXE, QSERVER.EXE, RAV8WIN32ENG.EXE, REGEDT32.EXE, REGEDIT.EXE, UPDATE.EXE, RESCUE.EXE,
RESCUE32.EXE, RRGUARD.EXE, RSHELL.EXE, RTVSCN95.EXE, RULAUNCH.EXE,
SAFEWEB.EXE, SBSERV.EXE, SD.EXE, SETUP_FLOWPROTECTOR_US.EXE, SETUPVAMEEVAL.EXE, SFC.EXE, SGSSFW32.EXE, SH.EXE, SHELLSPYINSTALL.EXE, SHN.EXE, SMC.EXE, SOFI.EXE, SPF.EXE, SPHINX.EXE, SPYXX.EXE, SS3EDIT.EXE, ST2.EXE, SUPFTRL.EXE, LUALL.EXE, SUPPORTER5.EXE, SYMPROXYSVC.EXE, SYSEDIT.EXE, TASKMON.EXE, TAUMON.EXE, TAUSCAN.EXE, TC.EXE, TCA.EXE, TCM.EXE, TDS2-98.EXE, TDS2-NT.EXE, TDS-3.EXE, TFAK5.EXE, TGBOB.EXE, TITANIN.EXE, TITANINXP.EXE, TRACERT.EXE, TRJSCAN.EXE, TRJSETUP.EXE, TROJANTRAP3.EXE, UNDOBOOT.EXE, VBCMSERV.EXE, VBCONS.EXE, VBUST.EXE, VBWIN9X.EXE, VBWINNTW.EXE, VCSETUP.EXE, VFSETUP.EXE, VIRUSMDPERSONALFIREWALL.EXE, VNLAN300.EXE, VNPC3000.EXE, VPC42.EXE,
VPFW30S.EXE, VPTRAY.EXE, VSCENU6.02D30.EXE, VSECOMR.EXE, VSHWIN32.EXE,
VSISETUP.EXE, VSMAIN.EXE, VSMON.EXE, VSSTAT.EXE, VSWIN9XE.EXE, VSWINNTSE.EXE, VSWINPERSE.EXE, W32DSM89.EXE, W9X.EXE, WATCHDOG.EXE, WEBSCANX.EXE, CFIAUDIT.EXE, CFINET.EXE, ICSUPP95.EXE, MCUPDATE.EXE, CFINET32.EXE, CLEAN.EXE, CLEANER.EXE, LUINIT.EXE, MCAGENT.EXE, MCUPDATE.EXE, MFW2EN.EXE, MFWENG3.02D30.EXE, MGUI.EXE, MINILOG.EXE, MOOLIVE.EXE, MRFLUX.EXE, MSCONFIG.EXE, MSINFO32.EXE, MSSMMC32.EXE, MU0311AD.EXE, NAV80TRY.EXE, ZAUINST.EXE, ZONALM2601.EXE, ZONEALARM.EXE

Sophos Anti-Virus version 3.85 detects this Trojan as W32/Bagle-Gen without requiring an update.

download Try Sophos products for free
Download now