12/22: PSW-GF Trojan Copies Itself to Windows Temp Folder

When run Troj/PSW-GF creates the files:

system\sigveri - detected as Troj/PSW-GF
system\PGPsc.sys - detected as Troj/NtRootK-EG
system\config\security.emf - clean file

A copy of the Trojan will also be created in the Windows temporary folder with a name that starts "cwh" followed by a random two-digit number.

The following registry entry is modified:

HKLM\Software\Microsft\Windows NT\CurrentVersion\winlogon\shell explorer.exe system\sigveri –l

More information can be found at this Sophos page.

Comment and Contribute