McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

This detection is for a remote access trojan written in Borland Delphi. An email message constructed to download and execute the trojan is known to have been spammed to users.

The spammed message is constructed in HTML format.It is likely to have a random subject line, and its body is likely to bear a head portrait of a lady (loaded from a remote server upon viewing the message):

The body contains HTML tags to load a second file from a remote server. This file is MIME, and contains the remote access trojan (base64 encoded).

Installation

Upon execution, the trojan installs itself into the %SysDir% directory as GRAYPIGEON.EXE. A DLL file is extracted and also copied to this directory:

• %SysDir%\GRAYPIGEON.EXE
  (system and hidden attributes set)
• %SysDir%\GRAYPIGEON.DLL

(Where %Sysdir% is the Windows System directory, for example C:\WINNT\SYSTEM32)

The following Registry key is added to hook system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
\RunOnce   "ScanRegedit" = "%SysDir%\GRAYPIGEON.EXE"

The DLL file (which contains the backdoor functionality) is injected into the EXPLORER.EXE process on the victim machine. This method is typically used to bypass personal firewall settings (explorer.exe is often excluded from firewall rules).

Once running, the hacker is able to perform various tasks, including:

• Opening closing the CD
• Opening an FTP server on the victim machine
• Retrieve information from victim machine (OS, CPU, memory etc)

Symptoms

• The spammed message contains links to the image and the encoded trojan at the following server:
  
  http://ns1.jilinfarm.com/member/(blocked)/index.mht
  
• Outgoing HTTP traffic will be seen from the victim machine, to the following server for example:
  
  http://shaowenqi.3322.org
  
• Existence of the files/Registry keys detailed above

Method of Infection

A HTML email message intended to download and execute this trojan is known to have been spammed to users.

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

This detection is for a remote access trojan written in Borland Delphi. An email message constructed to download and execute the trojan is known to have been spammed to users.

The spammed message is constructed in HTML format.It is likely to have a random subject line, and its body is likely to bear a head portrait of a lady (loaded from a remote server upon viewing the message):

The body contains HTML tags to load a second file from a remote server. This file is MIME, and contains the remote access trojan (base64 encoded).

Installation

Upon execution, the trojan installs itself into the %SysDir% directory as GRAYPIGEON.EXE. A DLL file is extracted and also copied to this directory:

• %SysDir%\GRAYPIGEON.EXE
  (system and hidden attributes set)
• %SysDir%\GRAYPIGEON.DLL

(Where %Sysdir% is the Windows System directory, for example C:\WINNT\SYSTEM32)

The following Registry key is added to hook system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
\RunOnce   "ScanRegedit" = "%SysDir%\GRAYPIGEON.EXE"

The DLL file (which contains the backdoor functionality) is injected into the EXPLORER.EXE process on the victim machine. This method is typically used to bypass personal firewall settings (explorer.exe is often excluded from firewall rules).

Once running, the hacker is able to perform various tasks, including:

• Opening closing the CD
• Opening an FTP server on the victim machine
• Retrieve information from victim machine (OS, CPU, memory etc)

Symptoms

Symptoms -

• The spammed message contains links to the image and the encoded trojan at the following server:
  
  http://ns1.jilinfarm.com/member/(blocked)/index.mht
  
• Outgoing HTTP traffic will be seen from the victim machine, to the following server for example:
  
  http://shaowenqi.3322.org
  
• Existence of the files/Registry keys detailed above

Method of Infection

Method of Infection -

A HTML email message intended to download and execute this trojan is known to have been spammed to users.

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A