McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.Sysbug (Symantec)

• Troj/Sysbug-A (Sophos)

• Win32.PSW.LdPinch.G (CA)

Characteristics

Update: 11/25/2003
This threat is considered to be a Low-Profiled risk due to media attention at:  http://www.vnunet.com/News/1150284

Update: 11/28/2003
The From: field below can vary - however james2003@hotmail.com
is visible in the headers of the emails.

This detection covers a remote access trojan, which allows a remote attacker to control the compromised system.  The trojan is believed to have been mass-spammed on Nov. 24, 2003, in an email message as follows:

From: james2003@hotmail.com
Subject: Re[2]: Mary

Hello my dear Mary,

I have been thinking about you all night. I would like to apologize for the other night when we made beautiful love and did not use condoms. I know this was a mistake and I beg you to forgive me.

I miss you more than anything, please call me Mary, I need you. Do you remember when we were having wild sex in my house? I remember it all like it was only yesterday. You said that the pictures would not come out good, but you were very wrong, they are great. I didn't want to show you the pictures at first, but now I think it's time for you to see them. Please look in the attachment and you will see what I mean.

I love you with all my heart, James.

Attachment: Private.zip [containing the file wendynaked.jpg.exe]

When the executable is extracted and run, it configures itself to load at system startup by copying itself to the Windows (%WinDir%) directory as sysdeb32.exe and creating a registry run key:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "SystemDebug" = C:\Windows\sysdeb32.exe

The trojan attempts to contact www.kernel.org as a means to verify that an Internet connection is active. 

User information is saved to a local file, c:\temp35.txt , such as:

• POP3 Server, Username, Password
• NNTP Server, Username
• SMTP Server Name, Email Address
• INETCOMM Password

Upon rebot, this temp35.txt file is deleted.

TCP Port 5555 is opened for listening and the trojan contacts a remote site to send infection notification.

• finance.red-host.com

A marker file is saved in the WINDOWS directory, svc.sav .

Symptoms

• System listening on TCP Port 5555
• Existence of the files/Registry keys detailed above

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

All Users :
AVERT considers this to be a low risk threat. Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.Sysbug (Symantec)

• Troj/Sysbug-A (Sophos)

• Win32.PSW.LdPinch.G (CA)

Characteristics

Characteristics -

Update: 11/25/2003
This threat is considered to be a Low-Profiled risk due to media attention at:  http://www.vnunet.com/News/1150284

Update: 11/28/2003
The From: field below can vary - however james2003@hotmail.com
is visible in the headers of the emails.

This detection covers a remote access trojan, which allows a remote attacker to control the compromised system.  The trojan is believed to have been mass-spammed on Nov. 24, 2003, in an email message as follows:

From: james2003@hotmail.com
Subject: Re[2]: Mary

Hello my dear Mary,

I have been thinking about you all night. I would like to apologize for the other night when we made beautiful love and did not use condoms. I know this was a mistake and I beg you to forgive me.

I miss you more than anything, please call me Mary, I need you. Do you remember when we were having wild sex in my house? I remember it all like it was only yesterday. You said that the pictures would not come out good, but you were very wrong, they are great. I didn't want to show you the pictures at first, but now I think it's time for you to see them. Please look in the attachment and you will see what I mean.

I love you with all my heart, James.

Attachment: Private.zip [containing the file wendynaked.jpg.exe]

When the executable is extracted and run, it configures itself to load at system startup by copying itself to the Windows (%WinDir%) directory as sysdeb32.exe and creating a registry run key:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "SystemDebug" = C:\Windows\sysdeb32.exe

The trojan attempts to contact www.kernel.org as a means to verify that an Internet connection is active. 

User information is saved to a local file, c:\temp35.txt , such as:

• POP3 Server, Username, Password
• NNTP Server, Username
• SMTP Server Name, Email Address
• INETCOMM Password

Upon rebot, this temp35.txt file is deleted.

TCP Port 5555 is opened for listening and the trojan contacts a remote site to send infection notification.

• finance.red-host.com

A marker file is saved in the WINDOWS directory, svc.sav .

Symptoms

Symptoms -

• System listening on TCP Port 5555
• Existence of the files/Registry keys detailed above

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal -

Removal -

All Users :
AVERT considers this to be a low risk threat. Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A