Type
Trojan

Detection
Detected by Sophos Anti-Virus since October 2003.

Description
Troj/Backdgs-A is a backdoor Trojan which runs in the background as a service
process and allows unauthorised remote access to the computer over a network.

Troj/Backdgs-A copies itself to the Windows system folder as WINUPDATE.EXE
and adds entries to the registry at:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

to run itself on system restart.

Troj/Backdgs-A also logs keystrokes to a file called Z_INS.LG in the Windows
system folder and may attempt to email this file to an external address.

Troj/Backdgs-A may also attempt to steal passwords and local computer
information (e.g. operating system, processor type, etc). Troj/Backdgs-A may also
attempt to terminate certain processes related to system security, e.g Zonealarm.

Recovery
Please follow the instructions for removing Trojans.

Delete the file Z_INS.LG in the Windows system folder if it exists.

Change any passwords that may have become compromised.

You will also need to edit the following registry entries, if they are present. Please
read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry
editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu,
click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your
registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

and remove any reference to any file you deleted.

Close the registry editor.