Troj/Roamer-A

Category: Viruses and Spyware
Type: Trojan
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Roamer-A is a Trojan for the Windows platform.

When first run Troj/Roamer-A copies itself to:

&ltWindows&gt\ActiveX.exe
&ltSystem&gt\Active.exe
&ltSystem&gt\svchost.exe

and creates the following non-malicious files:

\me.bmp
\temp002.txt
&ltSystem&gt\logxp.log

The following registry entries are created to run ActiveX.exe, Active.exe and svchost.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ATITech
&ltSystem&gt\Active.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Roam04
&ltWindows&gt\ActiveX.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NortonVPlus
&ltSystem&gt\svchost.exe

The following registry entries are set, affecting internet security:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\&ltWindows&gt\system
Active.exe
&ltSystem&gt\Active.exe:*:Enabled:Active

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\&ltWindows&gt\system
svchost.exe
&ltSystem&gt\svchost.exe:*:Enabled:svchost

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS
ActiveX.exe
&ltWindows&gt\ActiveX.exe:*:Enabled:ActiveX