|Detected||Jun 05 2005 09:57 GMT|
|Released||Jun 05 2005 11:47 GMT|
|Published||Aug 09 2005 12:27 GMT|
This Trojan belongs to a family of programs designed to steal system passwords. It steals confidential data about the victim machine, including passwords and information entered via the keyboard.
The Trojan itself is a Windows PE EXE file approximately 68KB in size, packed using ASPack. The unpacked file is approximately 81KB in size.
When installing, the Trojan copies itself to %Program Files% under one of the names listed below:
%Program Files%\Internat.exe %Program Files%\rundll32.exe %Program Files%\svhost32.exe
It then registers this file in the system registry, ensuring that the Trojan file will be launched each time Windows is rebooted on the victim machine.
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows] "load" = "%Program Files%\svhost32.exe"
The Trojan also creates the following file in the Windows system directory:
The Trojan harvests a variety of confidential data from the victim machine, including system passwords, keystrokes, and a list of processes launched. This information is then sent to the remote malicious user by email.
Lineage.ha terminates processes where the names contain the following text strings:
Eghost.exe Iparmor.exe Kavpfw.exe Mailmon.exe Ravmon.exe
This type of malicious program is designed to steal user account information for online games. The data is then transmitted to the malicious user controlling the Trojan. Email, FTP, the web (including data in a request), or other methods may be used to transit the stolen data.