 |
|
||||
|
Keylogging Trojan Copies Itself to Windows FileNovember 20, 2003
Sophos Wednesday issued an alert for Troj/Tofger-A, a keylogging Trojan that copies itself to the file system.exe in the Windows folder in order to run automatically when Windows starts up.
Troj/Tofger-A also adds the following registry entry pointing to this file: The Trojan also drops the utility library file msin32.dll and creates the text file sysini.ini in the Windows folder. When the Trojan detects an active internet connection it captures keystrokes typed into Internet Explorer and sends the information to a remote internet address. Troj/Tofger-A may arrive attached to an email as a password protected ZIP file. The email would have a blank subject line, the message text "Hi! As I've promised I'm sending you my photo. Use old password: 123" and an attached file named MyProfile.zip. Instructions for removing Trojans are at this Sophos page. Trojan Overwrites Windows Hosts Files W32.Hostidel.Trojan.B is a variant of W32.Hostidel.Trojan that overwrites the Windows Hosts files. The Trojan also changes the Internet Explorer home page and search page and drops Backdoor.Daemonize in the %System% folder. Technical details are at this Symantec page. Trojan Sends Dropper File that Execute Other Files on Computer
McAfee is reporting a new version of MultiDropper-GP, a Trojan that has been spammed out in a password-protected archive called "MyProfile.zip" (5677 bytes long). The message body contains the password (and there is no 'Subject'): The ZIP contains "Profile.html" file (19732 bytes, detectable as Exploit-Codebase). This drops a PE file called "Dating.exe" (13824 bytes), which is a new multidropper. The dropper files serve only to drop and execute other files on the target machine. When run, this is exactly what they do - the dropper itself does not install on the victim machine. The dropper file will be of varying length (varying with the size of the file(s) it drops), and is likely to be packed.
Files created with this multidropper application may contain the following text: More information is at this McAfee page. Trojan Creates Registry Keys
BackDoor-ATM.gen is a generic detection for a remote access Trojan written in Visual Basic. As this description is meant to be generic, filenames and registry keys may differ.
Upon installation, the following registry keys are created. The subkeys contains settings used by the backdoor.
The following registry keys are also created to run the trojan at startup: Once running on the victim machine, the server component opens a TCP socket accepting commands sent from the client component on port 6351. The following functions may be performed on the compromised machine, including: More information is at this McAfee page. Password-Stealing Trojan Sends Information to Author Spy-Tofger is a password stealing Trojan that captures keystrokes and sends notification and captured information to the author via SMTP mail. It has keylogging, backdoor functionalities. There are two variants of this Trojan reported. The description is a general guide. The Trojan might arrive in a dropper file. When the dropper file is run, it copies the main Trojan and its dependent dll to the local machine and launch the main Trojan. The Trojan requires file msin32.dll to run, which is a keylogger dll.
When run, the Trojan creates the following registry key:
It registers itself as a service process using the RegisterServiceProcess API. It creates a hidden window running in the background.
Where %SysDir% is the Windows system directory.
It opens port 10002 on local system and listens for remote commands. It can perform the following backdoor activities:
More information is at this McAfee page.
Trojan Allows Hacker Access to Multiple Systems
Parlay is a remote proxy Trojan that allows the remote hacker to connect to other systems via the compromised system and so obscure his tracks when either hacking into or attacking a another system.
Upon execution, the Trojan installs itself into the %Sys32Dir% directory as REALUPD.EXE.
(Where %Sys32dir% is the Windows System32 directory, for example C:\WINDOWS\SYSTEM32)
For example:
The following Registry key(s) is/are added to hook system startup:
More information is at this McAfee page.
Agobot Worm Variants Exploit Various Microsoft Vulnerabilities
Worm_Agobot.AQ is a worm that exploits certain vulnerabilities to propagate across networks. It takes advantage of the following Windows vulnerabilities:
For more information about these Windows vulnerabilities, please refer to the following Microsoft security bulletins:
It attempts to log into systems using a list of user names and passwords. This worm then drops a copy of itself in accessed machines. It also terminates antivirus-related processes and dropped files by other malware.
This worm steals CD keys of certain game applications, then sends gathered data to a remote user via mIRC, a chat application. It also has backdoor capabilities and may execute remote commands in the host machine.
It runs on Windows NT, 2000 and XP.
Technical details are at this Trend Micro page.
Worm_Agobot.AR is similar to the above Agobot variant and exploits certain vulnerabilities to propagate across networks. It takes advantage of the following Windows vulnerabilities:
For more information about these Windows vulnerabilities, please refer to the following Microsoft security bulletins:
It attempts to log into systems using a list of user names and passwords. This worm then drops a copy of itself in accessed machines.
It also terminates antivirus-related processes and dropped files by other malware. This worm steals CD keys of certain game applications, then sends gathered data to a remote user via mIRC, a chat application.
It runs on Windows NT, 2000 and XP.
Technical details are at this Trend Micro page.
--Compiled by Esther Shein
Story courtesy of eSecurity Planet.
|
|
|
|
Email
Print
Digg This
Add to del.icio.us
