|
|
Trojan.Desktophijack Trojan Information
| Name: |
Trojan.Desktophijack |
| Category: |
Trojan |
| Advice: |
Remove |
| Risk: |
High Risk
High risk threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction. May open up communication ports, use polymorphic tactics, stealth installations, and/or anti-spy counter measures. May use a security flaw in the operating system to gain access to your computer. |
| Description:
|
Trojan.Desktophijack modifies the home page and desktop settings on a compromised computer.
Creates the following files:
%SystemDrive%wp.exe
%SystemDrive%wp.bmp
%System%gunist.exe
%System%param32.dll
%System%pop_up.dll
%System%searchdll.dll
%System%wldr.dll
%System%Air Tickets.ico
%System%Big Tits.ico
%System%Blackjack.ico
%System%Britney Spears.ico
%System%Car Insurance.ico
%System%Cheap Cigarettes.ico
%System%Credit Card.ico
%System%Cruises.ico
%System%Currency Trading.ico
%System%Lesbian Sex.ico
%System%MP3.ico
%System%Online Betting.ico
%System%Online Gambling.ico
%System%Oral Sex.ico
%System%Party Poker.ico
%System%Pharmacy.ico
%System%Phentermine.ico
%System%Pornstars.ico
%System%Remove Spyware.ico
%System%viagra.ico
%UserProfile%DesktopAir Tickets.url
%UserProfile%DesktopBig Tits.url
%UserProfile%DesktopBlackjack.url
%UserProfile%DesktopBritney Spears.url
%UserProfile%DesktopCar Insurance.url
%UserProfile%DesktopCheap Cigarettes.url
%UserProfile%DesktopCredit Card.url
%UserProfile%DesktopCruises.url
%UserProfile%DesktopCurrency Trading.url
%UserProfile%DesktopLesbian Sex.url
%UserProfile%DesktopMP3.url
%UserProfile%DesktopOnline Betting.url
%UserProfile%DesktopOnline Gambling.url
%UserProfile%DesktopOral Sex.url
%UserProfile%DesktopParty Poker.url
%UserProfile%DesktopPharmacy.url
%UserProfile%DesktopPhentermine.url
%UserProfile%DesktopPornstars.url
%UserProfile%DesktopRemove Spyware.url
%UserProfile%Desktopviagra.url
Creates the following registry subkeys:
HKEY_LOCAL_MACHINESoftwareClassesCLSID
{081669BA-EFC4-48C2-A8F4-874052D02553}
HKEY_LOCAL_MACHINESoftwareClassesCLSID
{145E6FB1-1256-44ED-A336-8BBA43373BE6}
HKEY_LOCAL_MACHINESoftwareClassesCLSID
{1D27320E-2DA2-41E2-A103-B5FD9D6A798B}
HKEY_LOCAL_MACHINESoftwareClassesCLSID
{B599C57E-113A-4488-A5E9-BC552C4F1152}
HKEY_LOCAL_MACHINESoftwareClassesCLSID
{D56A1203-1452-EBA1-7294-EE3377770000}
HKEY_LOCAL_MACHINESoftwareClassesCLSID
{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}
HKEY_LOCAL_MACHINESoftwareClassesInterface
{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}
HKEY_LOCAL_MACHINESoftwareClassesTypelib
{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}
HKEY_LOCAL_MACHINESoftwareClassesSerch_hook.transURL
HKEY_LOCAL_MACHINESoftwareClassesSerch_hook.transURL.1
HKEY_LOCAL_MACHINESoftwareMicrosoftCode Store Database
Distribution Units{11120607-1001-1111-1000-110199901123}
HKEY_LOCAL_MACHINESoftwareMicrosoftInternet Explorer
Extensions{081669BA-EFC4-48C2-A8F4-874052D02553}
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrent Version
UninstallInternet Connection Update and HomeP KB234087
HKEY_USERSSoftwareMicrosoftInternet ExplorerExtensions
{081669BA-EFC4-48C2-A8F4-874052D02553}
HKEY_USERSSoftwareMicrosoftWindowsCurrentVersionExt
Stats{081669BA-EFC4-48C2-A8F4-874052D02553}
HKEY_USERSSoftwareMicrosoftWindowsCurrentVersion
PoliciesSystem
Adds the following value:
"WindowsFY" = "C:wp.exe"
to the registry subkey:
HKEY_USERSSoftwareMicrosoftWindowsCurrent VersionRun
Adds the following value:
"{D56A1203-1452-EBA1-7294-EE3377770000}" = "Interlinking Memory Support"
to the registry subkey:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrent VersionExplorer
SharedTaskScheduler
Adds the following value:
"{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}" = ""
to the registry subkey:
HKEY_USERSSoftwareMicrosoftInternet ExplorerURLSearc
|
| Signatures:
|
process: wp.exe: MD5 Hash: 8ab4f3deafdabd5cf3f...
process: bsw.exe: MD5 Hash: d5887e9e64f0c52045f...
process: bsw.exe: MD5 Hash: 62e62c89507ab98bf61...
process: bsw.exe: MD5 Hash: b9cf78997b5722bd781...
process: wp.exe: MD5 Hash: eff192d068cce251931...
process: wp.exe: MD5 Hash: df82952a1f5fd606ae9...
process: wp.exe: MD5 Hash: 76d993455b4f91bdf18...
process: hookdump.exe: MD5 Hash: F101DBCC20BA2DA1E04...
process: hookdump.exe: MD5 Hash: F101DBCC20BA2DA1E04...
process: dd.exe: MD5 Hash: F101DBCC20BA2DA1E04...
process: bpbe.exe: MD5 Hash: F101DBCC20BA2DA1E04...
process: onma.exe: MD5 Hash: ...
process: onma.exe: MD5 Hash: F101DBCC20BA2DA1E04...
process: wp.exe: MD5 Hash: eea67d8e9eb05e1673d...
process: r.exe: MD5 Hash: c99e76201f38ac1a9cc...
process: spoolsrv32.exe: MD5 Hash: daa05bf3e775e47ba6e...
process: uninstiu.exe: MD5 Hash: 27caff4520d7c3559ed...
process: wold.exe: MD5 Hash: 9c0d06782174c5fa748...
process: wspld.exe: MD5 Hash: 5a0c2adb0c47703887c.. |
| Type: |
Trojan - A Trojan software is any software on a user's computer that the user is not aware or intentionally installed. Most Trojan software is designed to perform some sort of actions that could jeopardize the user's security or privacy. |
Top Trojan Visited Pages:
Tro.Downloader.loadadv - 411 visits
Enable Regedit - 195 visits
Java.ClassLoader.Dummy.d - 187 visits
Trojan.BankerSpy - 179 visits
RBot.steam - 86 visits
Startup.NameShifter.Xgtray - 77 visits
Tro.Bagle.SP - 59 visits
LRPatch Trojan - 58 visits
Trojan.BHO.NameShifter.EZ - 55 visits
Tro.YourStartingPage - 54 visits
Random Trojan Pages:
Loadwin.exe
SdBot.msfirewall.A
LE 1.5.2
Tune Trojan
SdBot.slserves
Unclassified.Trojan.D
SWLabs - Alias: Constructor.Macro.SWLabs.3, Swlabs.kit
Hellkit
Trojan.Banker.AT
Startup.NameShifter.UpdMon
|
|
