Virus Database

Platov Family

Description Platov Family

These are very dangerous memory resident parasitic partly encrypted viruses. They copy themselves to the address 9800:0000h, and hook INT 8, 17h, 21h. While executing the viruses search for COM files of the current directory (except COMMAND.COM) and write themselves to the end of the file.
Depending on the system date the viruses delete the files that are executed, reboot the computer, change the symbols that are printed.
While selecting the A: drive the viruses display the message in Russian "Don't use floppy disks! There may be the viruses!" and erase the floppy disk sectors.
While selecting the GAMES or ANT subdirectories the viruses display the messages in Russian about computer games.
The viruses also contain the text strings:
Access Denied Software presents
The PC Virus
Programmed by Andrey Platov 15 years old on 09.07.1992
Hello to Igan, Pershin
gamesantCOMMAND*.COM

Check other viruses! Be aware! Use Antiviral Software

Backdoor.Padodor.w

Description Backdoor.Padodor.w

also known as TrojanSpy.Win32.Qukart
Padodor/Qukart was created by a Russian hacker group called HangUp Team. The original Padodor backdoor source code was used to create this variant, but the backdoor functionality was removed. Padodor/Qukart steals personal information including credit card numbers, logins and passwords that a user types and other sensitive data. The Padodor.W variant was found early on June 25th, 2004 as a result of the Scob incident investigation.
http://www.f-secure.com/v-descs/scob.shtml
Detailed Description
The trojan's file is a PE executable 51712 bytes long. The trojan's file is encrypted and the decryption routine is polymorphic. Every time the trojan installs itself, it changes its decryptor, so its file will look different after every installation. The trojan was created using Padodor backdoor code. There's some discussion now as to whether HangUp Team was involved. Unless they provided their Padodor source code to someone else (which is doubtful), they are responsible for the latest Padodor/Qukart incidents. Up to .G variant of Padodor their copyright was in the backdoor files
In the later variants of the backdoor the copyright string was removed, but the project name "padonok" (an incorrectly spelled Russian word "podonok" that means "scum") remained.
Installation to System
When the trojan's file is run, it installs itself to the system. It copies its file to Windows System directory with a random name that can contain '32' in the end. The name can be for example 'amackg32.exe'. Also the trojan extracts and writes a small DLL file to Windows System folder. That file also has a randomly generated name that can contain '32' in the end, for example 'bnldnl32.dll'. That DLL file is a starter for the dropped trojan's executable file. It already contains the name of the dropped trojan file - it is inserted there before extraction.
Then the trojan creates a few Registry keys:
[HKCRCLSID{79FEACFF-FFCE-815E-A900-316290B5B738}InProcServer32]
@ = "%WinSysDir%.dll"
"ThreadingModel" = "Apartment"
where %WinSysDir% represents the name of Windows System folder and represents a randomly generated file name. As a result, the DLL gets loaded every time Windows starts and it activates the trojan's file.
Also the trojan creates the following Registry key value:
[HKLMSoftwareMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad]
"Web Event Logger" = "{79FEACFF-FFCE-815E-A900-316290B5B738}"
The trojan creates a mutex named 'KingKarton_10' and checks it at startup to avoid loading several copies of itself to memory.
The trojan creates the 'surf.dat' file in Windows System folder and writes the computer name and user name there every time it activates.
Theft of passwords and credit card numbers
When the trojan is active, one of its threads is constantly looking for the following text strings in Microsoft Internet Explorer windows:
.paypal.com
signin.ebay.
.earthlink.
.juno.com
my.juno.com/s/
webmail.juno.com
.yahoo.com
and
Sign In
Log In
If such text strings are found, the trojan tracks the user's login and password and saves it to a file called DNKK.DLL located in Windows System folder. Then the trojan can show a fake webform and ask a user to select his/her credit card type, input his/her full name, credit card number, expiration date, CVV2 code and ATM PIN. The collected data is stored in a file called KK32.DLL file located in Windows System folder.
The trojan creates a thread that periodically creates or changes the following Registry keys:
[HKCUSOFTWAREMicrosoftWindowsCurrentVersionInternet Settingsones]
"1601" =
[HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings]
"GlobalUserOffline" =
[HKU.DEFAULTSOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowseNewProcess]
"BrowseNewProcess" = "yes"
Then this thread creates an HTML file where it copies stolen data, opens it with Internet Explorer and the data gets submitted to one of the following websites (selected randomly) using a small script:
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
After submitting the information, the trojan checks for feedback from the site and if it is a string equal to 'X-okRecv11', the trojan deletes the HTML file and terminates Internet Explorer.
The trojan creates another thread that periodically accesses the following webpages:
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://ldark.nm.ru/index.htm
http://fethard.biz/index.htm
Before accessing the above mentioned websites the trojan creates an HTML file with a special script. If the index.htm page on these sites contain 'X-okRecv11' string the trojan terminates Internet Explorer and deletes the created HTML file. Otherwise the trojan browses Internet cache files and appends the last used HTML file to the KK32.VXD file located in Windows System folder.
It should be noted that during the operation described above the trojan creates a new desktop called 'blind_user' on an infected computer that a user can not see and then opens Internet Explorer there.
© F-Secure Corporation

Backdoor.Phase.10

Description Backdoor.Phase.10
This is a hidden (hacker's) remote administration utility similar to the known Backdoor.BO (aka Back Orifice Trojan) trojan. Also known as Phase Server. It allows to administrate infected computers from a remote console, to steal files, to damage installed software, upload/download/execute files, change/list/create/remove directory, copy/move/rename/delete file, lockup server, crash server, create/delete/read/modify registry key and so on.

Home