The Trojan is installed into the system via the Internet to some other malware. Trojan file is installed in the root directory of Windows-systems: C: \ WINDOWS \ cssrs.exe , after which all the others the same unknown Trojan launches the file for execution, and also creates a registry key for special ways of intensifying the Trojan at each subsequent you start Windows. The class of this key and its contents are unknown, becauseon the infected machine, which was filmed Trojan Trojan-PSW.InvisibleThief.32768 , which established his Trojan was not detected. After its launch Trojan-PSW.InvisibleThief.32768 creates a key key is created only under systems Windows 2K/XP, and then only if they are installed system updates (SP4, and SP2, respectively), and allows the Trojan to work as an internal system service with certain privileges, as well as to hide some of its procedures by certain system calls. In this case, regardless of the version of Windows, the Trojan can be activated after you restart the computer only if the file cssrs.exe others will be launched malware. trojan file cssrs.exe written in Microsoft Visual C + and has a size of 32768 bytes . Is a single program, no compression utilities or kriptatsii not processed. In terms of functionality similar to a TrojanTrojan-PSW.InvisibleThief.23019 , but has some differences.
Immediately after its launch the Trojan tries to open on the infected computer on port 1034 and pass the authentication data in the form of word-identifier _ret_ok_1 to the server with IP-address 69.50.171.170 . If the server responds, the Trojan creates the Windows system directory file C: \ WINDOWS \ out.bin , which collects and then encrypts the sensitive data found on the affected machine. For the (distribution) data encryption Trojan uses a built-in mechanism to code kriptatsii. abducted by the Trojan list of secret data is identical with the list given in the description of the Trojan program Trojan-PSW.InvisibleThief.23019 . The Trojan also attempts to seek to drive some DAT-files. Abduction of email addresses is carried out, obviously, to create a database for future spamming. After the phishing Trojan generates secret data "on the fly" email message, which refers to its author. Letter with attachment has the following parameters: R file out.binsymbol "%" in the subject indicates some kind of variable, depending on where the Trojan can append to the subject of some other fragments. To send letters to the Trojan uses the HTTP-protocol network, connecting to the above server 69.50.171.170 . New search of confidential data and sending them to their author the Trojan only after a certain period of time.
When you connect to the Internet to the Trojan opens the affected machine on port 8020 and tries to call to retrieve files located at the following addresses (addresses of the pieces I've replaced the sign "%" for reasons of finding files the Trojan opens 53rd port, then download to disk the affected vehicles and runs the two trojans:C: \ sys.exe and C: \ WINDOWS \ vr_sys.dll File sys.exe is an independent Trojan size 104 096 Bytes(compressed compression utility "FSG" version 1.33), which produces some harmful actions while working in the Internet, has not been studied in detail. File vr_sys.dll a plug-dropper (program-puskach, "detonator" Trojan horse, etc. ), containing an updated version of the Trojan. This file does not compressed, the size of the contained working dropper code is 3072 bytes, and the rest of the contents - the file with an updated version of the Trojan. Thus, the file size vr_sys.dll may be different and depends the size of his body contained in the updated file Trojan. vr_sys.dll program is a one-time action. Her work is this: when you run it does not create any registry keys, and just looking for a specific area of system memory active process "CSSRS.EXE", that is our Trojan unloads it from memory, overwrite the file cssrs.exe updated version, which draws from himself, then launched already this new file to run. This vr_sys.dll quits and then is nothing more than as a file junk.The Trojan also attempts to connect to server yafveag.ru to share some data.
Report on sending messages, downloaded files, the time of the last manipulation of the Internet and some other proprietary information Trojan encrypts and writes them in specially created file C: \ 1.dml . Also creates the file in the registry key [HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ ShellNoRoam \ MUICache] , it is unclear just why. The code of this modification Trojan contains the following text: aPLib v0.42 - Smaller the Better the:) Copyright (C ) 1998-2004 by Joergen Ibsen, All Rights Reserved. This copy of aPLib is Free for non-Commercial use. More information: http://www.% software.com /
At the time of this description of anti-virus software detected a Trojan Trojan-PSW.InvisibleThief.32768 and downloads them from the Internet under the following Trojan files nomenclature names: Antivirus Kasperskyfound in the car these trojan files necessary to kill the memory processes cssrs.exe and sys.exe (for example, using the Task Manager), then delete the files from the disk. Also, if you prefer, you can delete the file and vr_sys.dll . Keys, prescription Trojans in the system registry, delete is not required. After this it is recommended to change the passwords to connect to the Internet, to the mailbox, etc.
The study of malicious code and development description: Broido Herman (aka VirusHunter)
Date Created: 25.07.2005
Date of last change: 25.07.2005
Author Description: Broido Herman (aka VirusHunter)
No comments:
Post a Comment