Threat Information for "Trojan.PWS.Egold"

Removal Top

StopSign will automatically remove this infection with a paid membership.

Summary Top
  • Name: Trojan.PWS.Egold
  • Aliases:TR/Spy.Agent.MX, Win32:Trojano-3436, PSW.Agent.BVD, Generic.Malware.SFL!Bg.1EE19A83, Logger.Agent.mx, W32/Agent.MX!tr.spy
  • Date Discovered: 2006-08-25
  • Protection Added: 2006-08-28
Description Top 
-- Ease of Removal

1: Uses running processes
2: Consistent file contents
3: Consistently named
4: Creates new registry entries with consistent data

-- Privacy Risks/Security Changes

1: Transmits personal data to remote computers
2: Harvests personal data
3: Disables security software
4: Mimics legitimate file names
5: Disables Windows Firewall
6: Disables Windows Security Center notification options

-- Damage/Intrusion/Annoyance

1: Creates new files
2: Autoruns at startup without an option to be disabled
3: Displays error messages due to buggy code

-- Propagation/Saturation

1: Infects from a link in an email
Technical Details Top
  • Added Directory/File:
    FilePath: %SYSTEMDIR%\service
  • Added Directory/File:
    FilePath: %SYSTEMDIR%\service\reoxconf.sam
  • Added Directory/File:
    FilePath: %SYSTEMDIR%\service\dlls.txt
  • Added Directory/File:
    FilePath: %SYSTEMDIR%\service\data
  • Added Directory/File:
    FilePath: %SYSTEMDIR%\service\reoxconf.tan
  • Added Directory/File:
    FilePath: %SYSTEMDIR%\service\reoxconf.cmd
  • Added Directory/File:
    FilePath: %SYSTEMDIR%\service\explorer.exe
  • Added Registry Value:
    Key: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile Value: EnableFirewall
  • Added Registry Value:
    Key: HKLM\Software\Microsoft\Security Center Value: AntiVirusDisableNotify
  • Added Registry Value:
    Key: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile Value: DoNotAllowExceptions
  • Added Registry Value:
    Key: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile Value: DisableNotifications
  • Added Registry Data:
    Key: HKCU\%CURRENTVERSIONREG%\Policies\Explorer\Run Value: [RANDOM VALUE] Data: service\explorer.exe
  • Added Registry Data:
    Key: HKU\S-*\%CURRENTVERSIONREG%\Policies\Explorer\Run Value: [RANDOM VALUE] Data: service\explorer.exe