Troj/Spywad-Gen

Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Included in our products from	August 2007 (4.20)
Protection available since	19 June 2007 12:27:58 (GMT)
Last updated	2 July 2007 17:32:09 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for removing Trojans.

More Information

Summary
Action
More Information

Troj/Spywad-Gen is a family of Trojans for the Windows family.

Troj/Spywad-Gen is a family of Trojans for the Windows family.

Members of Troj/Spywad-Gen often include functionality to access the internet and communicate with a remote server via HTTP.

Members of Troj/Spywad-Gen often copiy themselves to the root or Windows folder and may create the file \Application Data\Install.dat.

Members of Troj/Spywad-Gen often set registry entries at the following location to run themselves at startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Members of Troj/Spywad-Gen often create registry entries under:

HKCU\Software\Install\

Some members of Troj/Spywad-Gen attempt to close certain notification windows related to anti-virus and security programs.

Some members of Troj/Spywad-Gen includes functionality to display fake error messages, usually in the Windows taskbar, claiming that the computer is infected by spyware. The Trojan will then offer to download and install further software, claiming that it is anti-spyware software.

Some members of Troj/Spywad-Gen set some of the following registry entries in order to set modify settings for the Desktop wallpaper:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
NoChangingWallpaper
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
NoComponents
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
NoAddingComponents
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
NoDeletingComponents
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
NoEditingComponents
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
NoHTMLWallPaper
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoActiveDesktop
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
ClassicShell
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
ForceActiveDesktopOn
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Wallpaper

HKCU\Software\Microsoft\Internet Explorer\Desktop\General
WallpaperStyle
2

HKCU\Software\Microsoft\Internet Explorer\Desktop\General
TileWallpaper
0

HKCU\Software\Microsoft\Internet Explorer\Desktop\General
ComponentsPositioned
2

HKCU\Software\Microsoft\Internet Explorer\Desktop\General
WallpaperFileTime

HKCU\Software\Microsoft\Internet Explorer\Desktop\General
WallpaperLocalFileTime

HKLM\SOFTWARE\Microsoft\Internet Explorer\Desktop\General
WallpaperFileTime

HKLM\SOFTWARE\Microsoft\Internet Explorer\Desktop\General
WallpaperLocalFileTime

Some members of Troj/Spywad-Gen may also delete the following registry value:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDesktop

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Troj/Spywad-Gen

Summary

Action

More Information