<% if Request.querystring("retry") = "member" or Request.cookies("logged") <> "" then %>

        <%= Request.cookies("logged")%> <%else Response.Redirect "../default.asp" end if %>

         
         

 

Virus Name Risk Assessment
Agent-Spy.CF Low
 
Discovery Date Min DAT
27/02/2008 5240
 
Type SubType
Trojan Spyware
 
Virus Characteristics
 

This trojan has recently been spammed with emails like the following:

Subject: Proforma Invoice for Chicago Display Marketing Corporation

Message body:

To: Chicago Display Marketing Corporation (Attn: names vary)

The Proforma Invoice is attached to this message. You can find the file in
the attachments area of your email software.

PS: The invoice also includes the cost for the services provided for the
second quarter of 2007.
Please read, evaluate and reply with any comments. Thanks.

Beckman Instruments, Inc.
2500 Harbor Boulevard, E-26-C
Fullerton, CA 92634-3100

Attachment: Proforma_Invoice.doc

Installation

The spam emails contain a DOC file (Proforma_Invoice.doc) which contains an executable which must then be double-clicked to run.  The DOC file has the following text:

  • DOUBLE CLICK THE ICON ABOVE TO VIEW THE DOCUMENT DETAILS

Upon execution the trojan drops Microsoft.DLL and Microsoft.EXE in various locations.  This location varied between variants.

For example:

  • C:\Microsoft.dll (425,986 bytes)
  • C:\Microsoft.exe (119,810 bytes)

Registry entries were created to run itself at windows startup, such as the following:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run Win32KernelStart = Data: "C:\microsoft.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run Win32KernelStart = "C:\microsoft.exe"

It also creates a Browser Helper Object to start the DLL each time Internet Explorer is started.

Information Stealing

The trojan gathers the information stored in the following directories:

  • %USERPROFILE%\Cookies\
  • %USERPROFILE%\Local Settings\History
  • %USERPROFILE%\Local Settings\Temporary Internet Files

Note:

%UserProfile% is a variable location and refers to the user's profile folder, typically C:\Documents and Settings\%user%.

The trojan attempts to connect the following site.

  • http://athenagear.com/[removed]?gt=yes
Symptoms
 
Presence of the files and registry entries listed previously
Method Of Infection
 
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include email, IRC, peer-to-peer networks, newsgroup postings, etc.

 
Removal Instructions
 
Use specified engine and DAT files for detection and removal. This threat will be cleaned if you have this combination.
 

 

     1386 Shabakeh Gostar Eng

  

|      كشخصات نیرنس ما    |     مشدار نیرنس جدید     |