|Detected||Mar 29 2009 16:03 GMT|
|Released||Mar 29 2009 19:47 GMT|
|Published||Apr 15 2009 07:34 GMT|
This Trojan has a malicious payload. It is a Windows PE EXE file. It is 23552 bytes in size.
The Trojan copies its executable file as follows:
In order to ensure that the Trojan is launched automatically when the system is rebooted, the Trojan adds a link to its executable file in the system registry:
The Trojan adds its executable file to the Windows firewall list of trusted applications. It then launches the “iexplore.exe” process and injects its code into this process.
It also attempts to terminate the following processes:
avesvc.exe ashdisp.exe avgrsx.exe bdss.exe spider.exe avp.exe nod32krn.exe cclaw.exe dvpapi.exe ewidoctrl.exe mcshield.exe pavfires.exe almon.exe ccapp.exe pccntmon.exe fssm32.exe issvc.exe vsmon.exe cpf.exe ca.exe tnbutil.exe avp.exe mpfservice.exe npfmsg.exe outpost.exe tpsrv.exe pavfires.exe kpf4ss.exe persfw.exe vsserv.exe smc.exe
It also attempts to disable the following services associated with antivirus and firewall programs:
The Trojan also harvests passwords to web sites saved to the cache of the browsers shown below:
It also harvests passwords and account data for the following IM clients:
Trillian Miranda Yahoo Messenger MySpace IM Gaim
The Trojan has a built-in keylogger and can make screenshots of the user’s desktop. These screenshots are saved to the Temporary directory as <N> with <N> being a decimal number.
Harvested data is sent to the malicious user’s server:212.158.160.***
The Trojan copies its executable file to the root of each removable drive under the following name:
<X>:\wlan.exe, with X being the disk
In addition to its executable file, the Trojan also places the file shown below in the root directory of every disk:
This file will launch the Trojan executable file each time the user opens an infected disk using Explorer.
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
Trojan-Dropper programs are designed to secretly install malicious programs built into their code to victim computers.
This type of malicious program usually save a range of files to the victim’s drive (usually to the Windows directory, the Windows system directory, temporary directory etc.), and launches them without any notification (or with fake notification of an archive error, an outdated operating system version, etc.).
Such programs are used by hackers to: