Created:
8/15/2006 3:36:15 PM

Author:
Przemek Radzikowski

permalink [Permalink]





International Careers & Jobs - An international employment directory, reviewing world-wide top job sites







| More

Trojan Factory-Tfactory-A

Troj/Tfactory-A is a Trojan which claims to remove spyware and adware from the computer. It sets various registry entries and downloads various dummy files, so that it can then report these dummy installations of spyware and adware, in an attempt to coerce users into buying spyware and adware removal software.


 

 

Troj/Tfactory-A is a Trojan which claims to remove spyware and adware from the computer.

At the time of writing (15th August 2006), Trend Micro and pattern 3.657.00 does not detect this Trojan.  The only reference I have been able to find is on the Sophos website.

You can try and use HijackThis and other tools to help you remove this trojan if you don't run Sophos.

Troj/Tfactory-A sets various registry entries and downloads various dummy files, so that it can then report these dummy installations of spyware and adware, in an attempt to coerce users into buying spyware and adware removal software.

Troj/Tfactory-A displays popup messages with text such as:

'This notice is brought to you by Windows Security Center.'
'Download spyware remover now and run full system scan to remove trojans, viruses and spyware from your PC...'
'Your computer running slower than usual! It maybe infected with dangerous spyware or adware. Full system scan is highly recommended to remove possible malicious spyware from your computer.'
'Windows Security Center - Alert!'
'Windows Security Center has detected spyware activity on your computer! Click here to remove spyware...'
'Click here to remove spyware and adware from your computer immediately...'
'Click to remove spyware and adware from your computer...'
'Click here to remove spyware, adware, trojans and viruses from your computer...'
'Protect your computer. Download spyware remover to remove spyware and protect your data and privacy.'
'Windows has detected spyware on your computer! Full system scan is highly recommended to remove spyware.'
'Danger! Spyware activity detected on your computer...'

Troj/Tfactory-A installs itself as follows:

<System>\office_pnl.dll
<System>\officescan.exe
<System>\smartdrv.exe
<System>\winblsrv.dll

Troj/Tfactory-A downloads and installs the following additional files:

<Windows>\bg_bg.gif
<Windows>\big_red_x.gif
<Windows>\buy_now.gif
<Windows>\click_for_free_scan.gif
<Windows>\close_ico.gif
<Windows>\download.gif
<Windows>\download_product.gif
<Windows>\free_scan_red_btn.gif
<Windows>\icon_warning_big.gif
<Windows>\infected.gif
<Windows>\infected_top_bg.gif
<Windows>\logo.gif
<Windows>\navibar_bg.gif
<Windows>\navibar_corner_left.gif
<Windows>\navibar_corner_right.gif
<Windows>\product_box.gif
<Windows>\red_warning_ico.gif
<Windows>\remove_spyware_header.gif
<Windows>\safe_and_trusted.gif
<Windows>\spyware_detected.gif
<Windows>\win_logo.gif
<Windows>\yellow_warning_ico.gif
<Windows>\alexaie.dll
<Windows>\alxie328.dll
<Windows>\alxtb1.dll
<Windows>\BTGrab.dll
<Windows>\dlmax.dll
<Windows>\Pynix.dll
<Windows>\susp.exe
<Windows>\ZServ.dll
<System>\mshtml32.tdb
<System>\a.exe
<System>\alxres.dll
<System>\bridge.dll
<System>\dailytoolbar.dll
<System>\jao.dll
<System>\questmod.dll
<System>\runsrv32.dll
<System>\runsrv32.exe
<System>\smaexp32.dll
<System>\tcpservice2.exe
<System>\txfdb32.dll
<System>\udpmod.dll
<System>\winlogon.ini
<System>\wstart.dll

The file office_pnl.dll is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B53455DB-5527-4041-AC41-F86E6947AA47}
HKCR\TypeLib\{8B076501-1D1B-4B26-9492-FDB8EEE00D7F}
HKCR\office_pnl.office_panel
HKCR\Interface\{900FBC20-6AEE-4E05-ABA9-AC46E309C029}
HKCR\CLSID\{B53455DB-5527-4041-AC41-F86E6947AA47}

Troj/Tfactory-A sets the following registry entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adware.Srv32
<System>\runsrv32.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce\Srv32 spool service
Adware.Srv32
<no value> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Srv32 spool service
Adware.Srv32
<no value> HKCR\AppID\WStart.DLL
WStart
wstart.dll HKCR\AppID\DailyToolbar.DLL
DailyToolbar
dailytoolbar.dll HKCR\AppID\{F6BDB4E5-D6AA-4D1F-8B67-BCB0F2246E21}
(Default)
<no value> HKCR\AppID\{951B3138-AE8E-4676-A05A-250A5F111631}
(Default)
<no value>

Troj/Tfactory-A creates the following registry entries:

HKLM\SOFTWARE\Transponder
HKLM\SOFTWARE\Software\TPS108
HKLM\SOFTWARE\RespondMiter
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\bridge
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Alexa Toolbar
HKCU\Software\Microsoft\IPCheck
HKLM\SOFTWARE\WSoft
HKLM\SOFTWARE\NIX Solutions\DailyToolbar
HKLM\SOFTWARE\DailyToolbar
HKLM\SOFTWARE\Alexa Toolbar
HKLM\SOFTWARE\Alexa Internet
HKCR\WStart.WHttpHelper.1
HKCR\WStart.WHttpHelper
HKCR\url_relpacer.URLResolver
HKCR\Popup.PopupKiller
HKCR\Popup.HTMLEvent.
HKCR\PopMenu.Menu
HKCR\jao.jao
HKCR\IEToolbar.AffiliateCtl
HKCR\DailyToolbar.SysMgr
HKCR\DailyToolbar.IEBand
HKCR\Bridge.brdg
HKCR\AlxTB.BHO

For more information go to:

http://www.sophos.com/security/analyses/trojtfactorya.html?_log_from=rss

 

 

permalink [Permalink] - Updated: Monday, October 28, 2013





| More

 

Articles of Interest


International Careers & Jobs - An international employment directory, reviewing world-wide top job sites


 
 
(c) Capitalhead Pty Ltd
Contact Capitalhead About Us Articles & Publications Partners Solutions & Services Products Valid XHTML Valid CSS