From; Sophos Alert System: Name: Troj/Shed-A Aliases: Trojan-Clicker.Win32.Small.fb Type: Trojan Date: 8 April 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the June 2005 (3.94) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received a small number of reports of this Trojan from the wild. Information about Troj/Shed-A can be found at: http://www.sophos.com/virusinfo/analyses/trojsheda.html Troj/Shed-A is a Trojan for the Windows platform. Troj/Shed-A creates the following registry entries in order to run itself automatically at logon: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run <word pair> <Windows system folder>\bopotsvr.exe HKCR\Classes\CLSID\<GUID>\InProcServer32\ default) C:\\WINDOWS\\System32\\c_12atex.dll HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ ShellServiceObjectDelayLoad Shedule Address <GUID> where <GUID> is a randomly-generated sequence and <word pair> is a combination of any two words from the following list: Internet Security Protocol Meeting Shedule Explorer Messenger Browser Component Windows Media Player Address Themes Update Connection Agent WebControl Network Remote Access Terminal Client If run with sufficient rights Troj/Shed-A will install itself as an application authorised by Windows Firewall to communicate with the outside world. Troj/Shed-A may attempt to download configuration files specifying further actions to take, including downloading and executing files. Troj/Shed-A drops another file to the Windows temporary folder and runs it. This file (also detected as Troj/Shed-A) opens a hidden Internet Explorer window at a preconfigured URL after modifying internet security settings by changing the following registry entries: HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1001 0 HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1004 0 HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1201 0 This IDE file also includes detection for: Troj/StartPa-FP http://www.sophos.com/virusinfo/analyses/trojstartpafp.html Troj/HideProc-D http://www.sophos.com/virusinfo/analyses/trojhideprocd.html Troj/Dropper-AG http://www.sophos.com/virusinfo/analyses/trojdropperag.html Troj/Multidr-DD http://www.sophos.com/virusinfo/analyses/trojmultidrdd.html Troj/Feutel-D http://www.sophos.com/virusinfo/analyses/trojfeuteld.html Troj/Dropper-W http://www.sophos.com/virusinfo/analyses/trojdropperw.html Troj/ShareAll-C http://www.sophos.com/virusinfo/analyses/trojshareallc.html Troj/Optix-SE http://www.sophos.com/virusinfo/analyses/trojoptixse.html Download the IDE file from: http://www.sophos.com/downloads/ide/shed-a.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member
