Content

Uploader-D.b

Type
Trojan
SubType
Uploader
Discovery Date
03/26/2003
Length
207,872 bytes (UPX packed)
Minimum DAT
4255 (04/02/2003)
Updated DAT
4255 (04/02/2003)
Minimum Engine
5.1.00
Description Added
03/26/2003
Description Modified
03/26/2003 9:12 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This detection is for a data-stealing trojan which mails certain files to a specific email address. The file is written in Borland Delphi, but is likely to be compressed with a runtime compressor such as UPX.

The trojan is a later variant of an existing threat detected as Uploader-D.a.

When executed, the trojan does not install itself in any manner on the victim machine. It builds a list of files matching the following wildcards on local and remote drives:

  • *.DOC
  • *.XLS
  • SE*.DBX (targets sent messages folder for Outlook Express, "SENT ITEMS.DBX")

If matching files are found, the files are mailed to an email address hardcoded within the trojan. (Files named README*, WINWORD*, TEST* and WORD* are excluded from search.) The message is constructed using the trojans own SMTP engine, and a legitimate French SMTP server is used for sending the mail. The mail is formatted as follows (the exact target email address (@ifrance.com domain) has been masked to 'xxx'):

From: IP address of victim machine (xxx@ifrance.com)
To: xxx@ifrance.com
Subject: "machine name" [IP address of victim machine]
Body: list of matching files (full paths)
Attachments: base64 encoded files (with original filenames)

For example:

Symptoms

The trojan does not install itself on the victim machine in any way.

Method of Infection

The trojan mails out specific files from the victim machine to an email address hardcoded within the trojan.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

  • Karbsteal

Characteristics

Characteristics -

This detection is for a data-stealing trojan which mails certain files to a specific email address. The file is written in Borland Delphi, but is likely to be compressed with a runtime compressor such as UPX.

The trojan is a later variant of an existing threat detected as Uploader-D.a.

When executed, the trojan does not install itself in any manner on the victim machine. It builds a list of files matching the following wildcards on local and remote drives:

  • *.DOC
  • *.XLS
  • SE*.DBX (targets sent messages folder for Outlook Express, "SENT ITEMS.DBX")

If matching files are found, the files are mailed to an email address hardcoded within the trojan. (Files named README*, WINWORD*, TEST* and WORD* are excluded from search.) The message is constructed using the trojans own SMTP engine, and a legitimate French SMTP server is used for sending the mail. The mail is formatted as follows (the exact target email address (@ifrance.com domain) has been masked to 'xxx'):

From: IP address of victim machine (xxx@ifrance.com)
To: xxx@ifrance.com
Subject: "machine name" [IP address of victim machine]
Body: list of matching files (full paths)
Attachments: base64 encoded files (with original filenames)

For example:

Symptoms

Symptoms -

The trojan does not install itself on the victim machine in any way.

Method of Infection

Method of Infection -

The trojan mails out specific files from the victim machine to an email address hardcoded within the trojan.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A