Content

Phish-Potpor

Type
Trojan
SubType
Phishing
Discovery Date
02/16/2004
Length
552,960 bytes
Minimum DAT
4326 (02/18/2004)
Updated DAT
4326 (02/18/2004)
Minimum Engine
5.1.00
Description Added
02/16/2004
Description Modified
02/17/2004 7:31 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This is a detection for a new trojan that sends out a huge amount of EMails asking the recipient update his Visa Card contact information including card number, name, expiration date and PIN.

When executed, the trojan copies itself to %windir% folder using the filename "LPCONFIG.EXE". It creates a registry key so it gets started on system boot:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "ipconfig" =  c:\winnt\lpconfig.exe


The emails have these properties:

From: "VISA" [support@visa.com]
Subject: "VISA Announcement!"
To: addresses are randomly generated based on a long list of names hardcoded within the trojan.

Mailbody:

Example:

Note:These mails are detected as Phish-Potpor!eml with 4324DATs or higher.

The trojan contains a list of SMTP servers that it uses to submit the mails:

  • 207.69.200.80
  • 207.69.200.93
  • 207.69.200.65
  • 207.69.200.159
  • 207.69.200.133
  • 207.69.200.30
  • 207.69.200.36
  • 207.69.200.31
  • 206.124.29.24
  • 165.212.8.32
  • 205.188.158.121
  • 205.188.159.57
  • 205.188.159.249
  • 64.12.137.89
  • 64.12.137.184
  • 64.12.138.57
  • 64.12.138.152
  • 205.188.156.185
  • 64.12.137.184
  • 64.12.138.89
  • 64.12.138.120
  • 205.188.156.185
  • 205.188.158.121
  • 205.188.159.57
  • 64.12.137.89
  • 194.112.50.61
  • 195.157.7.77
  • 194.112.50.11
  • 207.217.125.16
  • 207.217.125.17
  • 207.217.125.18
  • 207.217.125.19
  • 207.217.125.20
  • 207.217.125.21
  • 207.217.125.22
  • 207.217.125.23
  • 207.217.125.24
  • 66.98.161.198
  • 66.98.208.65
  • 66.98.160.58
  • 207.115.63.115
  • 207.115.63.70
  • 195.166.137.25
  • 62.69.90.12
  • 217.28.130.35
  • 80.189.92.100
  • 80.189.94.100
  • 195.72.113.42
  • 145.253.32.2
  • 194.73.73.118
  • 194.73.73.117
  • 192.168.10.130
  • 192.168.10.135
  • 62.253.164.70
  • 195.130.225.26
  • 207.69.200.31
  • 207.69.200.82
  • 207.69.200.17
  • 207.69.200.154
  • 207.69.200.106
  • 194.42.224.145
  • 194.42.224.148
  • 212.74.114.54
  • 212.74.114.26
  • 212.74.114.7
  • 213.189.95.71
  • 213.189.95.71
  • 149.174.40.55
  • 149.174.40.183
  • 149.174.211.5
  • 149.174.213.5

When the 'here' link within the mailbody gets clicked, the brower will open a page hosted on a DYNDNS.ORG IP address. At the moment of this writing, only one page is available and has this content:

Please note, the content of this page may change.

Symptoms

  • existance of files mentioned above
  • unexpected network traffice to various SMTP servers
  • network connections to visasecurityupgrade.dyndns.org and goldy.dyndns.org

Method of Infection

Trojan do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include spam emails, IRC, P2P networks, newsgroup postings, etc.

Reading the email or opening the included link does not infect the machine.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

This is a detection for a new trojan that sends out a huge amount of EMails asking the recipient update his Visa Card contact information including card number, name, expiration date and PIN.

When executed, the trojan copies itself to %windir% folder using the filename "LPCONFIG.EXE". It creates a registry key so it gets started on system boot:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "ipconfig" =  c:\winnt\lpconfig.exe


The emails have these properties:

From: "VISA" [support@visa.com]
Subject: "VISA Announcement!"
To: addresses are randomly generated based on a long list of names hardcoded within the trojan.

Mailbody:

Example:

Note:These mails are detected as Phish-Potpor!eml with 4324DATs or higher.

The trojan contains a list of SMTP servers that it uses to submit the mails:

  • 207.69.200.80
  • 207.69.200.93
  • 207.69.200.65
  • 207.69.200.159
  • 207.69.200.133
  • 207.69.200.30
  • 207.69.200.36
  • 207.69.200.31
  • 206.124.29.24
  • 165.212.8.32
  • 205.188.158.121
  • 205.188.159.57
  • 205.188.159.249
  • 64.12.137.89
  • 64.12.137.184
  • 64.12.138.57
  • 64.12.138.152
  • 205.188.156.185
  • 64.12.137.184
  • 64.12.138.89
  • 64.12.138.120
  • 205.188.156.185
  • 205.188.158.121
  • 205.188.159.57
  • 64.12.137.89
  • 194.112.50.61
  • 195.157.7.77
  • 194.112.50.11
  • 207.217.125.16
  • 207.217.125.17
  • 207.217.125.18
  • 207.217.125.19
  • 207.217.125.20
  • 207.217.125.21
  • 207.217.125.22
  • 207.217.125.23
  • 207.217.125.24
  • 66.98.161.198
  • 66.98.208.65
  • 66.98.160.58
  • 207.115.63.115
  • 207.115.63.70
  • 195.166.137.25
  • 62.69.90.12
  • 217.28.130.35
  • 80.189.92.100
  • 80.189.94.100
  • 195.72.113.42
  • 145.253.32.2
  • 194.73.73.118
  • 194.73.73.117
  • 192.168.10.130
  • 192.168.10.135
  • 62.253.164.70
  • 195.130.225.26
  • 207.69.200.31
  • 207.69.200.82
  • 207.69.200.17
  • 207.69.200.154
  • 207.69.200.106
  • 194.42.224.145
  • 194.42.224.148
  • 212.74.114.54
  • 212.74.114.26
  • 212.74.114.7
  • 213.189.95.71
  • 213.189.95.71
  • 149.174.40.55
  • 149.174.40.183
  • 149.174.211.5
  • 149.174.213.5

When the 'here' link within the mailbody gets clicked, the brower will open a page hosted on a DYNDNS.ORG IP address. At the moment of this writing, only one page is available and has this content:

Please note, the content of this page may change.

Symptoms

Symptoms -

  • existance of files mentioned above
  • unexpected network traffice to various SMTP servers
  • network connections to visasecurityupgrade.dyndns.org and goldy.dyndns.org

Method of Infection

Method of Infection -

Trojan do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include spam emails, IRC, P2P networks, newsgroup postings, etc.

Reading the email or opening the included link does not infect the machine.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A