|Detected||Sep 23 2009 08:00 GMT|
|Released||Sep 23 2009 12:19 GMT|
|Published||Sep 25 2009 09:57 GMT|
This Trojan spy program is designed to steal confidential user data and remotely manage the victim machine. It is a Windows PE EXE file. It is 470 bytes in size.
When launched, the Trojan creates the following file:
<name&gr; is chosen at random from the list below:
dumpreport msiexeca svchosts upnpsvc service taskmon rundll helper event logon sound lsas
In order to ensure that the Trojan is launched automatically when the system is rebooted, the Trojan adds a link to its executable file in the system registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "<name2>" = %AppData%\<name>.exe|
<name2> is chosen at random from the list below:
CrashDump svchosts EventLog TaskMon Windows RunDll System Setup Sound lsass UPNP Init
The Trojan connects to servers to download and run malicious code. The server addresses are saved to the system registry key shown below:
The Trojan saves its settings to the registry keys shown below:
The malicious code downloaded from the servers is designed to harvest information from the victim machine (user name, login data, program passwords, local and network passwords).
The Trojan can also be configured to steal login and password data for Internet banking systems by substituting spoofed pages for genuine banking system pages. The program targets popular financial organizations such as the ones listed below:
https://www.hsbc.co.uk https://www.mybusinessbank.co.uk https://investing.schwab.com
The Trojan will regularly download updates to its code and additional modules. The programs downloaded include:
In order to spread via the local network, the Trojan ties to copy itself to network machines by using ipc$ and admin$ and also shared folders. In order to launch itself on networked machines, the Trojan uses a legitimate utility, Sysinternal's psexec.exe.
In order to prevent the malicious program spreading via networks, servers used by domain administrators should be disinfected. Additionally strong passwords should be used on local machines.
The Trojan downloads a variety of code from servers. This code can be modified or replaced with other malicious code. At the time of writing, the Trojan was configured to connect to the addresses listed below:
panel.***boora.cn 147.202.39.*** 174.36.82.*** 195.12.38.*** 195.189.247.*** 195.225.236.*** 205.234.231.*** 209.51.159.*** 209.85.120.*** 61.153.3.*** 64.18.143.*** 66.128.55.*** 66.199.237.*** 66.199.237.*** 66.225.237.*** 66.7.197.*** 75.102.23.***
The Trojan only runs on English versions of Windows.
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "<name2>" = %AppData%\<name>.exe
Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
Backdoors are designed to give malicious users remote control over an infected computer. In terms of functionality, Backdoors are similar to many administration systems designed and distributed by software developers.
These types of malicious programs make it possible to do anything the author wants on the infected computer: send and receive files, launch files or delete them, display messages, delete data, reboot the computer, etc.
The programs in this category are often used in order to unite a group of victim computers and form a botnet or zombie network. This gives malicious users centralized control over an army of infected computers which can then be used for criminal purposes.
There is also a group of Backdoors which are capable of spreading via networks and infecting other computers as Net-Worms do. The difference is that such Backdoors do not spread automatically (as Net-Worms do), but only upon a special “command” from the malicious user that controls them.