This Trojan spreads an unknown attacker on the Internet under the guise of "utility" to (de) encryption of files.The Trojan has been detected "in the form of undetected," and referred me to explore our web designer.
Some speculate the Trojan has been created in Russia or the Ukraine approximately in the second half of June 2005. Includes 2 files: l2decrypt.exe - Trojan is written in Microsoft Visual C +. He has size 63 488 bytes (no compressed). Trojan code directly in this file is 23,019 bytes, while the remaining 40 469 bytes is built into the body of the Trojan harmless (de) crypt-utility (hereinafter - just a "utility") to decrypt the configuration file from a network game "LineageII"; temp. exe - the very tool the size of 40,469 bytes(compressed file no.) It has a graphical interface that is supported in the emulation window MS-DOS and contains the command line. The utility was built into the code of the Trojan in order to decrypt the configuration file of a secretive game "LineAgeII", followed by fishing out of a certain confidential information about a current player.
When a user runs the file l2decrypt.exe Trojan extracts from their bodies and utility copies the namedtemp.exe the root of the system: C: \ WINDOWS \ temp.exe then launches it for execution. Interface Utility contains the coordinates of its author, as well as instructions for the optional functionality when working with files and command line. Operating Utility window appears as follows:
When you close this window utility (program temp.exe ) completes its work. As for the Trojan filel2decrypt.exe , he continues to work covertly and remain in memory until the completion of its work (note: the number of copies of the Trojan in memory depends on how much time the user launches the filel2decrypt.exe ).
The Trojan creates a own section of the system registry keys with the following where% windir% - the directory with the installed operating system Windows. The meaning of this key is not clear, since He is not a key component startup temp.exe (uses it for business purposes?). In addition, under Windows 9X/ME Trojan does not create this key. The Trojan also creates another key where% path% - the path to the user running file l2decrypt.exe . This key is created only under systems Windows 2K/XP, and then only if they are installed system updates (SP4, and SP2, respectively), and allows the Trojan to work as an internal system service with certain privileges, as well as to hide some of its procedures of certain system calls. In this case, regardless of the version of Windows, the Trojan can be activated after you restart the computer only when a user runs a file his own l2decrypt.exe .
Immediately after its launch the Trojan attempts to connect to the following web page (part of the address is replaced with the symbol "%" for security reasons): http://www .%-%. de / mail.php page to call the Trojan launches the system application "iexplore. exe "(the web browser Internet Explorer), indicating in the" Address "this link. At the same time uses to hide the windows of this process a special procedure by which it is invisible to the user's eye. Call address window web browser via the Trojan 1025-D port network protocol TCP / IP. If for any reason you can not send a request (for example, the machine is disconnected from the Internet or the port used by the program, etc.), it increases the value of Trojan port 1 (ie 1026, 1027, etc.), and repeats connection attempt. Attempts to connect to instances of failure to renew the Trojan time intervals equal to 17 seconds (for machines running Windows 9X/ME/2K/XP) or 22 seconds (for machines running Windows 2K/XP Update installed SP?). The duration of each failed attempt is about 1 second and then closes the Trojan hidden window and "sleep" for a further 17 (22) seconds (s). If successful, the connection with the Trojan reads the specified page located at its logical label - at the time of the study Trojan this was the _ret_ok_1 and compares with a label in its own code. If the labels are the same (me in the study sample contains exactly the same), then the Trojan activates the process of password espionage, which is to search for and interpretation of certain software and system files and registry keys to identify them in usernames and passwords, serial numbers and some other confidential information. If you find these files, the Trojan decrypts the contents using the built in its code of procedure dekriptatsii (except, as already mentioned, the game is "LineAgeII", where to retrieve its secret data using a file-based utility temp.exe ). Then identifies those files in certain lines and reads them from the following (listed below the names of programs that are handled by the Trojan, the specific file names from which to retrieve the secret data are not given for security reasons): 1. mailer The Bat! : logins passwords; 2. Internet pager ICQ : password, 3. Internet-pager Miranda ICQ : serial number, password, user name, install directory, 4. Internet-pager & RQ : password; 5. settings to connect to the Internet and local connections: the user names and passwords, IP-address, DNS-WINS-server and etc., name of the computer;6. Internet-pager Trillian : registration name and number, user password, the software configuration and type of installation, 7 . The editors for the files Windows Commander and Total Commander : Installation directory name, network name to enter the FTP-network address of the FTP-resource, user name and password to log into the network, and certain other information; 8. mailer RimArts Becky Internet Mail : the username and password, e-mail domain, a unique number ID, a post office box; 9. Web browser Internet Explorer : user name and password, IP-address of the ISP user name and password, connection settings,10. Mailers MS Outlook Express and MS Outlook : Incoming server (POP3) and outgoing (SMTP) mail user names and passwords, addresses, mailboxes, code encryption cipher messages (if used) 11. System keys to deciphering the user information (from the Trojan code, not clear exactly what) 12. FTP-client CuteFTP (Pro) : data access, modify / delete the resource; 13. dialer program E-Type Dialer : username and password to connect to the Internet 14. editor for working with files FAR Manager : name of the directory c basic settings, addresses, FTP-connected resources, registration data and certain other information; 15. FTP-client FTP Home : extracting the information and some software configuration settings, 16. mailer web browser Opera : the location of the subdirectories of the program, e-mail addresses of users, logins and passwords, mail server domain connections; 17. Web browser Mozilla : some data on the configurations of the program. The Trojan also attempts to seek to drive some DAT-files. Abduction e Mail Users are, obviously, to create a database for future spamming. vyuzhennye All data written to the Trojan saves the file named C: \ WINDOWS \ report.bin , then encrypts its own crypto algorithm. Then generates an "on the fly" email message, which refers to its author. A letter with an attachment has the following parameters: the message Subject: Passes from%Sender: zzlib@mail.ru Recipient: zzlib@mail.ru Attachment: File report.bin symbol "% "in the subject indicates some kind of variable, depending on where the Trojan can append to the subject of some other fragments. To send letters to the Trojan uses its own capabilities. Re-send the message be made only after a certain period of time, however, if the user restarts the system, Trojan will make an attempt to send the letter again, regardless of the amount of time elapsed since corresponding counter in the system memory Trojan saves only for the duration of Windows.
Before sending a message of the Trojan attempts to download via the above page a file builder.exe - code of the Trojan is clear is that this is some additional modular components, but it is unclear under what conditions can cause the Trojan to download it. The Trojan also downloads a Trojan file on the following link: http://%.% / xinch.exe detects if the file in the specified path, then load it into the machine, which are installed as C: \ WINDOWS \ taskmgr.exe and executes. When you run the file system is installed in another file, which is then used by the Trojan: C: \ WINDOWS \ taskmgr.dll When a file is loaded and successful xinch.exe email with stolen information is sent under the theme " from Xinch Passes ". However, to date, the above link to this file does not work - apparently it was prescribed in the code of the Trojan with the views of the future.
Given the fact that the Trojan is active almost constantly trying to get to the Internet, going through the ports, and opening / closing the window Web browser, as well as every 17-22 seconds. translates to 1 sec.management in your process, users are infected by the Trojan machines may experience discomfort due to a lot of noticeable decrease in system performance, as well as jumping out of windows operating software "to nowhere" that substantially interferes with the normal operation and, in particular, the typesetting of the text.
The code contains the following Trojan-line comments in Russian: Manager console program , Windows will not work correctly if you disable this service
Trojan Trojan-PSW.InvisibleThief.23019 (file l2decrypt.exe ) was sent to engineers Antivirus Lab Eugene Kaspersky, and at the time this is detected by the description of such identification names: KasperskyAntiVirus Kaspersky : Trojan-PSW.Win32.LdPinch.qv (included in the virus base 07.10.2005) AntivirusBitDefender Professional : Generic.PWStealer.DC1030C3 (included in the anti-virus database 13.07.2005)Antivirus DrWeb : Trojan.PWS.LDPinch.462 (included in the anti-virus database 28.07.2005) If you find the car of the Trojan horse must be restart the computer, then delete the file l2decrypt.exe from the disk. Keys, prescribed by the Trojan in the system registry, delete is not required. After this it is recommended to change the passwords to connect to the Internet, to the mailbox, etc. At the moment, developed and posted on our website the following description of the virus: Trojan-PSW. InvisibleThief.32768 Trojan-PSW.InvisibleThief.SafetyHater
The study of malicious code and development description: Broido Herman (aka VirusHunter)
Date Created: 10.07.2005
Date of last change: 17.08.2005
Author Description: Broido Herman (aka VirusHunter)
No comments:
Post a Comment