Home / malware

PDF

Trojan:Win32/Shapouf.A

First posted on 22 May 2014.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Shapouf.A.

Explanation :

Threat behavior

Installation

Trojan:Win32/Shapouf.A creates the following files on your PC:

• c:\documents and settings\administrator\application data\csrss.exe

Payload

Changes system security settings

Trojan:Win32/Shapouf.A adds itself to the list of applications that can access the Internet without being stopped by your firewall. It does this by making the following registry modification:

Adds value: "Client Server Runtime Process"
With data: "c:\documents and settings\administrator\application data\csrss.exe:*:enabled:client server runtime process"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
This malware description was produced and published using automated analysis of file SHA1 63ae94b31e015ac6a8d007470a9a89522aff7ddb.Symptoms

System changes

The following could indicate that you have this threat on your PC:

• You have these files:
  
  c:\documents and settings\administrator\application data\csrss.exe

• You see these entries or keys in your registry:
  
  Sets value: "Client Server Runtime Process"
  With data: "c:\documents and settings\administrator\application data\csrss.exe:*:enabled:client server runtime process"
  In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

Last update 22 May 2014

 

TOP