TROJ_STRAT.GI Malware type: Trojan
Aliases: No Alias Found
In the wild: Yes
Destructive: No
Language: English
File type: PE
Memory resident: Yes
Size of malware: 20,576 Bytes (compressed)
Initial samples received on: Jun 11, 2007
Payload 1: Downloads files
Details:This Trojan arrives as an attachment to email messages spammed by another malware or a malicious user.
It accesses the following Web site to download and execute a file:
http://{BLOCKED}esunhaxazedesa.com/getw.exe- detected by Trend Micro as WORM_STRAT.GI
As a result, routines of the downloaded worm are also exhibited on the affected system.
It comes with its own compression and runs on Windows 98, ME, NT, 2000, XP, and Server 2003.
Analysis By: Luis Antonio P. Magisa
Copyright (c) 1989-2007 Trend Micro Incorporated. All rights reserved.
Labels: Spam, Trojan
Infostealer.Banker.CRisk Level 1: Very Low
SUMMARY Discovered: April 2, 2007
Updated: April 2, 2007 9:02:00 AM
Type: Trojan
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Infostealer.Banker.C is a Trojan horse that may steal sensitive information from the compromised computer.
Threat Assessment Wild
Wild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Easy
Damage
Damage Level: Medium
Payload: May steal sensitive information from the compromised computer.
Distribution
Distribution Level: Low
Writeup By: Elia Florio
Labels: Microsoft, Trojan, Virus
Mar 29 2007
Nikolay Grebennikov
'Keyloggers, phishing and social engineering are currently the main methods being used in cyber fraud.'In February 2005, Joe Lopez, a businessman from Florida, filed a suit against Bank of America after unknown hackers stole $90,000 from his Bank of America account. The money had been transferred to Latvia.
An investigation showed that Mr. Lopez’s computer was infected with a malicious program, Backdoor.Coreflood, which records every keystroke and sends this information to malicious users via the Internet. This is how the hackers got hold of Joe Lopez’s user name and password, since Mr. Lopez often used the Internet to manage his Bank of America account.
However the court did not rule in favor of the plaintiff, saying that Mr. Lopez had neglected to take basic precautions when managing his bank account on the Internet: a signature for the malicious code that was found on his system had been added to nearly all antivirus product databases back in 2003.
Joe Lopez’s losses were caused by a combination of overall carelessness and an ordinary keylogging program.
Full article
hereLabels: Backdoor, News Article, Social Engineering, Trojan
Trojan.Optimizer.BSystems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
CVE References: CVE-2003-0111, CVE-2005-4560, CVE-2006-0005, CVE-2006-3866, CVE-2006-4868, CVE-2006-6121
Trojan.Linkoptimizer.B is a generic detection for a family of Trojan horse programs that download dialer components, display pop-up advertisements and attempt to prevent removal by blocking security-related applications.
It has been reported that variants of Trojan.Linkoptimizer.B may be installed by visiting several different malicious Web sites while making legitimate searches on some popular search engines.
The initial domains returned by search engines may redirect users to other .com domains with random names which host different browser exploits.
Variants of Trojan.Linkoptimizer.B are installed by exploiting browser vulnerabilities including the following:
Microsoft Java Virtual Machine Bytecode Verifier Vulnerability (Security Focus Bugtraq ID 6221)
Microsoft Windows Media Player Plugin Buffer Overflow Vulnerability (Security Focus Bugtraq ID 16644)
Microsoft WMF Remote Code Execution Vulnerability (Security Focus Bugtraq ID 16074).
Microsoft Internet Explorer VML Remote Code Execution Vulnerability (Security Focus Bugtraq ID 20096).
Acer LunchApp.APlunch ActiveX Control Remote Code Execution Vulnerability (Security Focus Bugtraq ID 21207)
NOTE: At the time of writing, it has been reported that the installation of Trojan.Linkoptimizer.B and its variants works only for users with Italian IP addresses.
The exploits drop an executable file in the following folder:
%Temp%\[RANDOM NAME1].exe
Once executed, the variants of Trojan.Linkoptimizer.B create the following mutexes to ensure that only one copy of the threat is running on the compromised computer:
_x_mgr_
_x_hlp_
The variants may check to see if a modem is installed on the compromised computer by retrieving the Remote Access devices and checking for the presence of one of the following strings, terminating if none are not found:
modem
isdn
It may create the following registry entries so that the threat will be executed everytime Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\"Debugger" = "%System%\[8 RANDOM LETTERS].[EXT]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\"Debugger" = "%System%\[FIXPART1][FIXPART2].exe"
NOTE: The security permissions of these keys are modified so that Administrator users will not be able to remove or change them.
The variants reportedly may create some of the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared\"sr" = "[RANDOM HEXIDECIMAL VALUE]"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Shared\"sr" = "[RANDOM HEXIDECIMAL VALUE]"
It may create some of the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent
HKEY_LOCAL_MACHINE\SOFTWARE\Macromedia\ShockPlayer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\[5 RANDOM LETTERS]
The Trojan variants attempt to resolve the following domain:
aondskwje.com
NOTE: The numeric IP address obtained from the DNS server is invalid. The address is decrypted and converted to a different IP address value depending on the variant.
The variants may try to download the following encrypted file:
[http://]196.238.242.23/view/logo[REMOVED]
csr
ctf
drv
dsk
hlp
lsa
man
mod
mon
net
sql
srv
svc
sys
tsk
upd
win
While copying itself into %System% folder, the variant appends itself to a variable amount of
random data and patches the security permissions of the file. It then locks the file so that the malicious file cannot be accessed, deleted or renamed.
If the operating System is Windows XP, 2000 or 2003 the variants may start the
Task Scheduler service and add the following task in order to run when Windows starts:
Run: %System%\[FIXED_STRING][5 RANDOM LETTERS].exe
Run as: NT AUTHORITY\System
Schedule: At System Startup
The task is saved in the following file and has the security permissions set to prevent removal.
%Windir%\Tasks\[5 RANDOM LETTERS].job
Next, the Trojan variants attempt to resolve one of the following domains:
itqoipyqsq.com
addwjf6zoy.com
c5ehm8fp.com
NOTE: The numeric IP address obtained from the DNS server is invalid. The address is decrypted and converted to a different IP address value depending on the variant.
The Trojan variant tries to download the following encrypted file:
[http://]85.255.115.133/styles/deskt[REMOVED]
NOTE: At the time of writing the file is downloaded only if the compromised machine has an Italian IP address. It has been observed that non-Italian IP addresses get a 500 error message from the remote Web server.
The downloaded file may install multiple dialer components that will dial high-cost numbers.
The Trojan.Linkoptimizer.B variant checks for the presence of debuggers or monitoring tools. It will not run on computers running on VMWare environment or with any of the following drivers active:
SIWVIDSTART - Numega SoftICE Debugger
FILEMON - Sysinternals Filemon
REGMON - Sysinternals Regmon
PROCMON - Sysinternals Procmon
It may inject a thread into EXPLORER.EXE that attempts to terminate any program which has the following text in window title:
antidialer
avenger
avz antiviral
catchme
ccleaner
dumphive
gmer
hardware upgrade forum
hijackthis
listdlls
p2p forum italia
pjf(ustc)
restore ssdt
runalyzer
silent runners
suspectfile
swreg
Systemscan
unhook selected
unlockerassistant
It may create a copy of itself with one the following names:
%System%\[8 RANDOM LETTERS].[EXT]
%System%\[FIXPART1][FIXPART2].exe
[EXT] is one of the following strings:
bak
dat
log
old
tmp
txt
ver
[FIXPART1] is one of the following strings:
admin
auto
boot
cfg
chat
defrag
demo
dump
edit
key
note
office
power
reg
run
set
sys
sys32
System
task
video
win
win32
[FIXPART2] is one of the following strings:
audit
backup
cache
check
clean
config
control
debug
event
find
info
init
load
lookup
mode
notify
setup
stat
tray
viewer
wizard
Variants of Trojan.Linkoptimizer.B have XML configuration data that can be updated from a remote site and allows the variant to download or install multiple dialer components. The configuration data that can be updated includes high cost numbers to dial with the following prefixes:
899
00881
The variant will also use the updated configuration data to contact one of the following URLs:
[http://]www.webcont.net/CONTENTS/adul[REMOVED]
[http://]www.keycont.net/CONTENTS/audl[REMOVED]
Updated configuration data will also include valid account information for the URLs dialed.
Writeup By: Elia Florio
Labels: Microsoft, Trojan, Virus
Name Troj/DwnLdr-GSP
Type Trojan
Affected operating systems Windows
Side effects Downloads code from the internet
Aliases Trojan-Downloader.Win32.Small.bur
Troj/DwnLdr-GSP is a Trojan for the Windows platform.
Troj/DwnLdr-GSP includes functionality to communicate with a remote server via HTTP.
When Troj/DwnLdr-GSP is executed, it downloads and creates the file
\mensagem.exe. This file is not available at the time of writing.Labels: Microsoft, Trojan, Virus
Size: 11 kbytes (packed)
Discovered: 2007 Feb 14
SYMPTOMS:
- The presence of the following file: %WINDIR%\sqhos32.wmf
- The presence of the following registry key:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run: "lre"="%path_to_trojan%"
- A process named 'module.exe' running
TECHNICAL DESCRIPTION:
The trojan creates a file named sqhos32.wmf in %WINDIR% folder, file that contains some data the trojan uses. Then, it will create the following registry key in order to execute itself at each system startup:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run: "lre"="%path_to_trojan%"
The trojan tries to download a file named 'module.exe' from http://eased{...}.com/et.exe.
When the link becomes available, it will execute the downloaded file, delete the startup registry key and mark itself for deletion at the next system startup.
ANALYZED BY:
Marius Botis, virus researcher
Labels: Microsoft, Trojan, Worm
Name Troj/Psychwa-S
Type Trojan
Affected operating systems Windows
Troj/Psychwa-S is a Trojan for the Windows platform.
Troj/Psychwa-S includes functionality to access the internet and communicate with a remote server via HTTP.
Labels: Anti-Virus, Microsoft, Trojan
Malware type: JavaScript
Aliases: No Alias Found
In the wild: Yes
Destructive: No
Language: English
Platform: Windows 98, ME, NT, 2000, XP, Server 2003, Mac OS X
Encrypted: No
Overall risk rating: Low
Reported infections: Low
Damage potential: High
Distribution potential: Low
Size of malware: 5,609 Bytes
Initial samples received on: Mar 16, 2007
Related to: TROJ_DLOADER.JHV
Payload 1: Steals information
Details:
This malicious JavaScript may be dropped by another malware. It may also be downloaded from the Internet, particularly by the malware TROJ_DLOADER.JHV.
It is used to steal information, such as login credentials, used in MySpace accounts. MySpace (www.myspace.com) is a popular social networking Web site that hosts profiles of users from all around the world.
This JavaScript uploads the stolen information to the URL http://BLOCKED}ofileawareness.com/logs4/connect.php. As a result, remote users may view and use the uploaded information for malicious purposes.
It runs on Mac OS X, Windows 98, ME, NT, 2000, XP, and Server 2003.
Analysis By: Carlo Panganiban
Labels: Anti-Virus, http, Microsoft, Trojan
Troj/IMspam-B is a Trojan for the Windows platform.
Name Troj/IMspam-B
Type Trojan
Affected operating systems Windows
Side effects Forges the sender's email address. Uses its own emailing engine. Downloads code from the internet
Troj/IMspam-B is a mass spamming tool that targets MSN Messenger, Windows Live Messenger, AOL Instant Messenger and email addresses.
When run Troj/IMspam-B closes all other instances of itself and removes all EXEs in the root folder of the C drive.
Sample text appears as:
"Heeey i saw a pic of u online HAHAHA check
"
At the time of writing, the EXE downloaded from the malicious link is detected as W32/Delbot-U.Labels: Anti-Virus, Microsoft, Trojan, Virus
Name Troj/DollarR-CG
Type Trojan
Affected operating systems Windows
Side effects Installs itself in the Registry
Aliases Trojan-Downloader.Win32.Adload.ic
DollarRevenue trojan
Troj/DollarR-CG is a downloader Trojan for the Windows platform.
Troj/DollarR-CG includes functionality to access the internet and communicate with a remote server via HTTP.
When Troj/DollarR-CG is installed it creates the file
\newname.dat.
The following registry entry is created to run Troj/DollarR-CG on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
newname
Labels: Anti-Virus, Microsoft, Trojan