Threat Information for "Trojan.PWS.Tanspy.R"

Removal Top

StopSign will automatically remove this infection with a paid membership.

Summary Top
  • Name: Trojan.PWS.Tanspy.R
  • Aliases:
  • Date Discovered: 2006-09-11
  • Protection Added: 2006-09-14
Description Top 
-- Ease of Removal

1: Injects DLLs into running processes
2: Uses running processes
3: Consistent file contents
4: Consistently named
5: Hides files
6: Hides running processes

-- Privacy Risks/Security Changes

1: Transmits personal data to remote computers
2: Harvests personal data
3: Harvests saved passwords
4: Mimics legitimate file names

-- Damage/Intrusion/Annoyance

1: Modifies critical registry entries
2: Modifies Windows critical files
3: Significantly slows down the computer
4: Creates new files
5: Downloads other threats

-- Propagation/Saturation

1: Infects from embedded code in an email
2: Infects from a link in an email
3: Infects from an email attachment
Technical Details Top
  • Added Directory/File:
    FilePath: %SYSTEMDIR%\init.dll
  • Added Directory/File:
    FilePath: %SYSTEMDIR%\xvid.dll
  • Added Directory/File:
    FilePath: %COMMONFILESDIR%\system\lsass.exe
  • Added Directory/File:
    FilePath: %ROOTDRIVE%bkup.reg
  • Added Directory/File:
    FilePath: %SYSTEMDIR%\xvid.ini
  • Added Directory/File:
    FilePath: %SYSTEMDIR%\divx.ini
  • Added Directory/File:
    FilePath: %SYSTEMDIR%\drivers\ip.sys
  • Added Registry Key:
    Key: HKLM\SYSTEM\CurrentControlSet\Services\Ip4Sec
  • Added Registry Value:
    Key: HKLM\SOFTWARE\Microsoft\Windows Value: shell
  • Added Registry Value:
    Key: HKCU\Software Value: vs
  • Added Registry Value:
    Key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Value: SFCDisable
  • Added Registry Value:
    Key: HKU\S-*\%CURRENTVERSIONREG%\Run Value: ctfmon.exe
  • Added Registry Value:
    Key: HKLM\SOFTWARE\Microsoft\Windows Value: system
  • Added Registry Value:
    Key: HKCU\Software Value: ver
  • Added Registry Value:
    Key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Value: SFCScan
  • Added Registry Value:
    Key: HKCU\%CURRENTVERSIONREG%\Run Value: ctfmon.exe
  • Added Registry Data:
    Key: HKCU\%CURRENTVERSIONREG%\Run Value: [RANDOM VALUE] Data: %COMMONFILESDIR%\system\lsass.exe
  • Added Registry Data:
    Key: HKU\S-*\%CURRENTVERSIONREG%\Run Value: [RANDOM VALUE] Data: %COMMONFILESDIR%\system\lsass.exe