McAfee > Theat Center > Virus Detail Page

Overview

Update April 08, 2008

A variant with file name as incomplete_contract.doc has been discovered recently.

Upon being opened, the word file has a message dislayed as "Micrsoft Word has encountered an error and needs to be close. Please double click the icon the reload msword.exe." 

When the icon is doubled clicked, the trojan connects to 

hxxp://www.[blocked].com/allegati/ptx70-44_e.pdf/irs_efill.php

to download  a malware(identified as Generic PWS.b trojan) and saves the downloaded malware to %windir%\svchost.exe.

Update February 27, 2008

This trojan has recently been spammed with emails like the following:

The complaint.zip file contains a file named complaint.scr or complaint_pdf[0-9].scr

Upon execution the trojan connects to

• hxxp://beacon[random].com/2006/pdf/irs_efill.php.
• hxxp://www.pks-jakar[blocked]/pics/default/irs_efill.php

It also downloads following legitimate PDF files probably to decieve the user that it is a legitimate application

• hxxp://www.irs.gov/pub/irs-pdf/f3949a.pdf
• hxxp://www.ago.state.co.us/consline/complaint.pdf
  

The trojan also copies itself as %windir%\svchost.exe.

This variant of trojan also has capability to download other trojans and malware on the system, for that it may contact the following website.

• hxxp://zenazone.eu[blocked]install.exe

Update December 5, 2007

A later variant has been discovered which creates its DLL at c:\xp2007.dat, and which was not observed to copy the EXE locally, or to create a Registry Run key for the EXE. 

This detection is for a trojan which attempts to steal information from a user's system.  It gathers keyboard strokes, window and clipboard contents and other system-specific information.

There have been multiple spam runs recently of this trojan, with a filename of Proforma_Invoice.doc (689,664 bytes).  The MD5s of the files from separate spam runs differ.  Previous variants may be detected with the 5055 DATs as Generic Dropper.p and dropped files as Generic Spy.e.

Characteristics

The risk assessment of this threat has been updated to Low-Profiled due to media attention at:  http://blogs.pcworld.com/staffblog/archives/004662.html

This trojan has recently been spammed with emails like the following:

Subject: Proforma Invoice for Chicago Display Marketing Corporation

Message body:

To: Chicago Display Marketing Corporation (Attn: names vary)

The Proforma Invoice is attached to this message. You can find the file in
the attachments area of your email software.

PS: The invoice also includes the cost for the services provided for the
second quarter of 2007.
Please read, evaluate and reply with any comments. Thanks.

Beckman Instruments, Inc.
2500 Harbor Boulevard, E-26-C
Fullerton, CA 92634-3100

Attachment: Proforma_Invoice.doc

Installation

The spam emails contain a DOC file (Proforma_Invoice.doc) which contains an executable which must then be double-clicked to run.  The DOC file has the following text:

• DOUBLE CLICK THE ICON ABOVE TO VIEW THE DOCUMENT DETAILS

Upon execution the trojan drops Microsoft.DLL and Microsoft.EXE in various locations.  This location varied between variants.

For example:

• C:\Microsoft.dll (425,986 bytes)
• C:\Microsoft.exe (119,810 bytes)

Registry entries were created to run itself at windows startup, such as the following:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run Win32KernelStart = Data: "C:\microsoft.exe"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run Win32KernelStart = "C:\microsoft.exe"

It also creates a Browser Helper Object to start the DLL each time Internet Explorer is started.

Information Stealing

The trojan gathers the information stored in the following directories:

• %USERPROFILE%\Cookies\
• %USERPROFILE%\Local Settings\History
• %USERPROFILE%\Local Settings\Temporary Internet Files

Note:

%UserProfile% is a variable location and refers to the user's profile folder, typically C:\Documents and Settings\%user%.

The trojan attempts to connect the following site.

• http://athenagear.com/[removed]?gt=yes

Symptoms

• Presence of the files and registry entries listed previously

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include email, IRC, peer-to-peer networks, newsgroup postings, etc.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

Update April 08, 2008

A variant with file name as incomplete_contract.doc has been discovered recently.

Upon being opened, the word file has a message dislayed as "Micrsoft Word has encountered an error and needs to be close. Please double click the icon the reload msword.exe." 

When the icon is doubled clicked, the trojan connects to 

hxxp://www.[blocked].com/allegati/ptx70-44_e.pdf/irs_efill.php

to download  a malware(identified as Generic PWS.b trojan) and saves the downloaded malware to %windir%\svchost.exe.

Update February 27, 2008

This trojan has recently been spammed with emails like the following:

The complaint.zip file contains a file named complaint.scr or complaint_pdf[0-9].scr

Upon execution the trojan connects to

• hxxp://beacon[random].com/2006/pdf/irs_efill.php.
• hxxp://www.pks-jakar[blocked]/pics/default/irs_efill.php

It also downloads following legitimate PDF files probably to decieve the user that it is a legitimate application

• hxxp://www.irs.gov/pub/irs-pdf/f3949a.pdf
• hxxp://www.ago.state.co.us/consline/complaint.pdf
  

The trojan also copies itself as %windir%\svchost.exe.

This variant of trojan also has capability to download other trojans and malware on the system, for that it may contact the following website.

• hxxp://zenazone.eu[blocked]install.exe

Update December 5, 2007

A later variant has been discovered which creates its DLL at c:\xp2007.dat, and which was not observed to copy the EXE locally, or to create a Registry Run key for the EXE. 

This detection is for a trojan which attempts to steal information from a user's system.  It gathers keyboard strokes, window and clipboard contents and other system-specific information.

There have been multiple spam runs recently of this trojan, with a filename of Proforma_Invoice.doc (689,664 bytes).  The MD5s of the files from separate spam runs differ.  Previous variants may be detected with the 5055 DATs as Generic Dropper.p and dropped files as Generic Spy.e.

Characteristics

Characteristics -

The risk assessment of this threat has been updated to Low-Profiled due to media attention at:  http://blogs.pcworld.com/staffblog/archives/004662.html

This trojan has recently been spammed with emails like the following:

Subject: Proforma Invoice for Chicago Display Marketing Corporation

Message body:

To: Chicago Display Marketing Corporation (Attn: names vary)

The Proforma Invoice is attached to this message. You can find the file in
the attachments area of your email software.

PS: The invoice also includes the cost for the services provided for the
second quarter of 2007.
Please read, evaluate and reply with any comments. Thanks.

Beckman Instruments, Inc.
2500 Harbor Boulevard, E-26-C
Fullerton, CA 92634-3100

Attachment: Proforma_Invoice.doc

Installation

The spam emails contain a DOC file (Proforma_Invoice.doc) which contains an executable which must then be double-clicked to run.  The DOC file has the following text:

• DOUBLE CLICK THE ICON ABOVE TO VIEW THE DOCUMENT DETAILS

Upon execution the trojan drops Microsoft.DLL and Microsoft.EXE in various locations.  This location varied between variants.

For example:

• C:\Microsoft.dll (425,986 bytes)
• C:\Microsoft.exe (119,810 bytes)

Registry entries were created to run itself at windows startup, such as the following:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run Win32KernelStart = Data: "C:\microsoft.exe"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run Win32KernelStart = "C:\microsoft.exe"

It also creates a Browser Helper Object to start the DLL each time Internet Explorer is started.

Information Stealing

The trojan gathers the information stored in the following directories:

• %USERPROFILE%\Cookies\
• %USERPROFILE%\Local Settings\History
• %USERPROFILE%\Local Settings\Temporary Internet Files

Note:

%UserProfile% is a variable location and refers to the user's profile folder, typically C:\Documents and Settings\%user%.

The trojan attempts to connect the following site.

• http://athenagear.com/[removed]?gt=yes

Symptoms

Symptoms -

• Presence of the files and registry entries listed previously

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include email, IRC, peer-to-peer networks, newsgroup postings, etc.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A