TrojanProxy.Win32.Webber.h
Description TrojanProxy.Win32.Webber.h
This Trojan runs under Windows. It creates a hidden proxy server (allowing up to 100 connections) and then sends the IP address of the victim machined and cached passwords to its creator. It also downloads additional .exe files from a web site, and updates itself by executing these files on the victim machine.
This Trojan first appeared in infected messages on 16th July 2003.
Infected messages
Attachment:
web.da.us.citi.heloc.pif
which when launched downloads and executes the exe file which is the main component of the Trojan.
Message header:
Re: Your credit application
Message body:
Dear sir, Thank you for your online application for a Citibank Home Equity Loan. In order to be approved for any loan application we pull your Credit Profile and Chexsystems information, which didn't satisfy our minimum needs. Consequently, we regret to say that we cannot approve you for Citibank Home Equity Loan at this time. *Attached are copy of your Credit Profile and Your Application that you submitted with us. Please take a close look at it, you will receive hard copy by mail withing next few days.
Installation
On launching the Trojan copies itself to the Windows system directory under a random name and creates an additional .dll component with a random name in the same directory.
It creates the following keys in the system registry to ensure auto-run:
HKCRCLSID{79FA9088-19CE-715D-D85A-216290C5B738}
InProcServer32 = %trojan DLL name%
ThreadingModel = Apartment
HKLMSoftwareMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad
Web Event Logger = {79FA9088-19CE-715D-D85A-216290C5B738}
The Trojan contains the following copyright text string:
Webber10
Check other viruses! Be aware! Use Antiviral Software
Malign Family
Description Malign Family
These are not dangerous memory resident parasitic viruses. They hook INT 21h and when the DOS functions GetDisk or SetDisk are executed the viruses search for the COM-files and write themselves at their beginnings. Sometimes they display the string: "Malign". On read/write error the virus "Malign.630" displays also: "Wait".
Malmsey.495.a
Description Malmsey.495.a
This is a dangerous, non memory-resident parasitic virus. It searches for EXE files and writes itself to their ends. Sometimes it infects the files incorrectly and they hang up upon execution. It contains the internal texts:
LM
Malmsey Habitat v. 2.0 Lucifer Messiah -- ANARKICK SYSTEMS 07-18-92
Happy Birthday Pob!!
|