|Detected||Mar 28 2007 08:28 GMT|
|Released||Mar 30 2007 06:28 GMT|
|Published||Mar 28 2007 08:28 GMT|
This Trojan program is designed to steal confidential data. It is a Windows PE EXE file, and is 34304 bytes in size. It is packed using a customized packer.
The Trojan copies itself to
with system, read only and archive attributes.
When copying it appends random-sized junk to the end of its file in an attempt to make detection more difficult. It does not modify the PE header.
It creates the following directory:
%sysdir%\wsnpoem\ (hidden, system attributes) %sysdir%\wsnpoem\audio.dll - data file %sysdir%\wsnpoem\video.dll - config file
The Trojan adds itself to the following registry keys:
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] userinit="%sysdir%\ntos.exe" [HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run] userinit="%sysdir%\ntos.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] Value "Userinit":
The Trojan injects itself into winlogon.exe and from there on functions as a handle.
It creates the following mutex:
to flag its presence in the system.
The Trojan contacts 22.214.171.124 to download its config file, check for updates and to transmit harvested data.
It accesses PStore to retrieve passwords.
It also monitors network activity for the following:
The Trojan captures information submitted via POST by browser to steal login data from sites.
Captured data is transferred via FTP.
Trojan-Banker programs are designed to steal user account data relating to online banking systems, e-payment systems and plastic card systems. The data is then transmitted to the malicious user controlling the Trojan. Email, FTP, the web (including data in a request), or other methods may be used to transit the stolen data.