BoClean and Trojan-Pushu Protection

Does BoCllean protect against Trojan-Pushu?

One of my systems is infected with this trojan (according to Webroot Spysweeper).

I don’t beleve it is …

Can you please zip the infected file and password protect it with “infected” including that information in the body, and send it to both :

bocleansubmissions [ at ] and
malwaresubmit [ at ]

… so that it can be added.

Thank you :slight_smile:

Greetz, Red.

Best way to find out is to download CBO and let her take a shot at it.
Just because it’s not included by that name doesn’t mean it’s not included.

Yup, you are right :slight_smile: Lets say searching with that name in relation to CBOClean doesn’t bring up anything :slight_smile:

Greetz, Red.

OK, will try. But I’m not certain if it is a “file” that can be isolated like that. I’ll check when I get back from my business trip this weekend.

FYI, there’s a lot of info about this trogan via a Google search. The common way the infection process is mentioned (opening an email attachment) though cannot be the way my system got it for many reasons, first being that this particular system is not used for email at all.

Even though the latest version of Spysweeper caught and quarantined it, I’d feel better of BoClaen was able to detect it too. No telling how long it was on my system before last week’s Spysweeper program update detected it.

It may be a Webroot Spysweeper false positive from some postings I’ve found.
You can check for evidence of the infection, if Webroot is hitting on the *registry key and none of the other files are found it’s a false positive.
Registry key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_IP6FW\0000
From Sophos:

When Troj/Pushu-A is installed the following file is created:


This file is also detected as Troj/Pushu-A, and is registered as a new system driver service named “Runtime”. Registry entries are created under:


One of the following files is also created:


These files are also detected as Troj/Pushu-A, and may be registered as a new system driver service named “Restore”. Registry entries are created under:


These system files provide stealthing for Troj/Pushu-A.

Troj/Pushu-A also attempts to inject a file into iexplore.exe. This injected file is also detected as Troj/Pushu-A, and attempts to download from a remote location to some of the following locations:

\system32<random number>_exception.nls
<random number>.exe


sorry, imo, SpySweeper = bloated crapware.

another useful app might be SuperAntiSpyware Has a free scanner and is a very powerful tool.

and… do as above re the install info.