[virusinfo] Troj/Adtoda-A

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Tue, 25 May 2004 08:32:53 -0700

From; Sophos Alert System:

Name: Troj/Adtoda-A
Type: Trojan
Date: 25 May 2004

A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the July 2004 (3.83) release of Sophos Anti-Virus.

Customers using Enterprise Manager, PureMessage and any of the
Sophos small business solutions will be automatically protected
at their next scheduled update.


At the time of writing, Sophos has received just one report of
this Trojan from the wild.


Note: The IDE issued for Troj/Adtoda-A at 11:28 GMT on 2 April
also contained detection for Troj/Adtoda-B, Troj/INServ-A,
Troj/StartPa-AB, Troj/ByteVeri-G, W32/Agobot-FO, W32/Agobot-JS
and W32/Agobot-FP. This IDE has now been updated to enhance
detection of W32/Agobot-FP.

Information about Troj/Adtoda-A can be found at:
http://www.sophos.com/virusinfo/analyses/trojadtodaa.html
Description 
Troj/Adtoda-A is a backdoor Trojan. 
When first run, Troj/Adtoda-A will display the following two messages: 

"Setup was not able to continue the installation.
An illegal copy of Windows Operating System was detected on this computer.
The computer informations is already collect and will be post as this
computer name: (name of machine)" 

"The operating system will not work properly before you get a permission
after you complete the penalty!
For any detail informations, Please contact the following link:
http:\\www.microsoft.com\~msproduct\~watch\~piracy10
\secureID=OS_wiNver_532Fg32_ap12nt04A" 

After the user clicks "OK" on both of these messages, Troj/Adtoda-A installs
itself and activates the payload. This inverts the screen and freezes the
machine so that is needs to be rebooted. 

In order to run automatically when Windows starts up the Trojan creates the
file
C:\Windows\system\winupd32.exe and the shortcut
C:\Windows\Start Menu\Programs\StartUp\System Update Service.lnk pointing to
it. 

These files will cause the payload to be run again on system boot. 

Troj/Adtoda-A also attempts to modify C:\boot.ini to prevent debugging. 
 

This IDE file also includes detection for:

Troj/Adtoda-B
http://www.sophos.com/virusinfo/analyses/trojadtodab.html
Troj/INServ-A
http://www.sophos.com/virusinfo/analyses/trojinserva.html
Troj/StartPa-AB
http://www.sophos.com/virusinfo/analyses/trojstartpaab.html
Troj/ByteVeri-G
http://www.sophos.com/virusinfo/analyses/trojbyteverig.html
W32/Agobot-FO
http://www.sophos.com/virusinfo/analyses/w32agobotfo.html
W32/Agobot-JS
http://www.sophos.com/virusinfo/analyses/w32agobotjs.html
W32/Agobot-FP
http://www.sophos.com/virusinfo/analyses/w32agobotfp.html

Download the IDE file from:
http://www.sophos.com/downloads/ide/adtoda-a.ide

Download all the IDE files available for the current version of 
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:

Zip file:
http://www.sophos.com/downloads/ide/ides.zip

Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe

Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] Troj/Adtoda-A

1. Home
2. virusinfo
3. Archive
4. 05-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---