1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP TrojanGuarder Activity

HTTP TrojanGuarder Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects activities of misleading application TrojanGuarder.

Additional Information

When TrojanGuarder is executed, it performs the following actions:

1. Creates some of the following files:
* %ProgramFiles%\Trojan Guarder Gold Version\hook.dll
* %ProgramFiles%\Trojan Guarder Gold Version\Products.htm
* %ProgramFiles%\Trojan Guarder Gold Version\Trojan Guarder Help.chm
* %ProgramFiles%\Trojan Guarder Gold Version\Trojan Guarder.exe
* %ProgramFiles%\Trojan Guarder Gold Version\trojan.update
* %ProgramFiles%\Trojan Guarder Gold Version\unins000.dat
* %ProgramFiles%\Trojan Guarder Gold Version\unins000.exe
* %ProgramFiles%\Trojan Guarder Gold Version\Visit Our Site.url
* C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Trojan Guarder Gold Version.lnk
* C:\Documents and Settings\All Users\Start Menu\Programs\Trojan Guarder Gold Version\Help.lnk
* C:\Documents and Settings\All Users\Start Menu\Programs\Trojan Guarder Gold Version\Trojan Guarder Gold Version.lnk
* C:\Documents and Settings\All Users\Start Menu\Programs\Trojan Guarder Gold Version\Uninstall.lnk
* C:\Documents and Settings\All Users\Start Menu\Programs\Trojan Guarder Gold Version\Visit Our Site.lnk
* C:\Documents and Settings\All Users\Start Menu\Programs\Trojan Guarder Gold Version.lnk
* %UserProfile%\Desktop\Trojan Guarder Gold Version.lnk

Note:

* %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
* %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).

2. Creates some of the following registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trojan Guarder Gold Version_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ptx
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ptx\Exension
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ptx\Exension\{223bd4fe-345e-ffae-3c9f-fe62375679e1}

3. Adds the following registry entry:

"ComStart" = "C:\Program Files\Trojan Guarder Gold Version\Trojan Guarder.exe"

to the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube