This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IFEOHijack Trojan or False Positive (Debugger)

Hello Sophos Malware Community,

 

Doing a scan today I came across this.

 


Registry Key: 2
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\cmd.exe, No Action By User, [6465], [250074],1.0.7587
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\cmd.exe, No Action By User, [6465], [250074],1.0.7587

 

Trying to determine if its a real risk or not and asking for some advice?

 

Thanks



This thread was automatically locked due to age.
Parents
  • I will skip the details but the reference to IFEO and "Debugger" tells me you are dealing with a network worm and banking trojan called TrickBot, this is pretty much the most advanced worm in the world at the moment. It has various methods of spreading in a network and wont stop until it is removed. Its ultimate goal is to inject malicious code into the users browser so they can steal money from the users bank account. Basically anybody infected with TrickBot who logs into their online banking can expect to see money leaving their account pretty quickly. I also heard reference to people logging into Amazon and seeing items appearing in their shopping basket.

    Make sure Sophos is installed, you are following best practice (everything is turned on) and that Sophos is updating correctly.

    Which Sophos product are you using? if you have any of the Intercept X products make sure our Deep Learning feature is enabled, it is great at killing TrickBot.

Reply
  • I will skip the details but the reference to IFEO and "Debugger" tells me you are dealing with a network worm and banking trojan called TrickBot, this is pretty much the most advanced worm in the world at the moment. It has various methods of spreading in a network and wont stop until it is removed. Its ultimate goal is to inject malicious code into the users browser so they can steal money from the users bank account. Basically anybody infected with TrickBot who logs into their online banking can expect to see money leaving their account pretty quickly. I also heard reference to people logging into Amazon and seeing items appearing in their shopping basket.

    Make sure Sophos is installed, you are following best practice (everything is turned on) and that Sophos is updating correctly.

    Which Sophos product are you using? if you have any of the Intercept X products make sure our Deep Learning feature is enabled, it is great at killing TrickBot.

Children
No Data