McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Downloader-BY

• TROJ_KATHER.A (Trend)

• TrojanDownloader.Win32.Kather (AVP)

Characteristics

There are many variants of this trojan. This description is simply meant as a guide. An installer executable file, such as TAXIGIRL.EXE, may drop the trojan. Additionally, this trojan was likely spammed to many email addresses. As there already many different variants, it is reasonable to assume future spamming may occur.

The purpose of this trojan is to harvest email addresses; most likely for spam purposes. Addresses are gathered from an infected user's system and posted to a form on a web page. This webpage is running a script that enters submitted addresses into a database.

A trojan dropper may display a movie (as in the TAXIGIRL.EXE example above, a movie is displayed where a woman's dress gets caught in the car door of a taxi cab as she exits). Meanwhile, the trojan address harvester gets extracted into the WINDOWS SYSTEM (%SysDir%) directory, in this case as WINSS.EXE (7,881 bytes), and a registry run key is created to load the trojan at startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "MSOleath32" = c:\windows\system3\winss.exe

In addition to the address harvesting, as previously mentioned, the start page of Internet Explorer may be set to http://cn.yahoo.com. Certain versions of the trojan contain a list of key words to search for within Internet Cache files, presumably for the purpose of gathering cookies and potentially usernames/passwords.

The trojan contains the string: PostMan

Symptoms

Internet Explorer start page changed to http://cn.yahoo.com without user's knowledge

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Downloader-BY

• TROJ_KATHER.A (Trend)

• TrojanDownloader.Win32.Kather (AVP)

Characteristics

Characteristics -

There are many variants of this trojan. This description is simply meant as a guide. An installer executable file, such as TAXIGIRL.EXE, may drop the trojan. Additionally, this trojan was likely spammed to many email addresses. As there already many different variants, it is reasonable to assume future spamming may occur.

The purpose of this trojan is to harvest email addresses; most likely for spam purposes. Addresses are gathered from an infected user's system and posted to a form on a web page. This webpage is running a script that enters submitted addresses into a database.

A trojan dropper may display a movie (as in the TAXIGIRL.EXE example above, a movie is displayed where a woman's dress gets caught in the car door of a taxi cab as she exits). Meanwhile, the trojan address harvester gets extracted into the WINDOWS SYSTEM (%SysDir%) directory, in this case as WINSS.EXE (7,881 bytes), and a registry run key is created to load the trojan at startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "MSOleath32" = c:\windows\system3\winss.exe

In addition to the address harvesting, as previously mentioned, the start page of Internet Explorer may be set to http://cn.yahoo.com. Certain versions of the trojan contain a list of key words to search for within Internet Cache files, presumably for the purpose of gathering cookies and potentially usernames/passwords.

The trojan contains the string: PostMan

Symptoms

Symptoms -

Internet Explorer start page changed to http://cn.yahoo.com without user's knowledge

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A