McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Trj/Etsur.A (Panda)

• Trojan.Etsur (Symantec)

Characteristics

There are multiple versions of this trojan - users are recommended to use the latest engine and DATs for maximum protection. This family bears similarity to Spy-Tofger , bearing the following characteristics:

• consists of dropper, DLL and EXE components
• monitors windows with certain titles to capture keystrokes in sessions concerning online financial services

March 16th 2004
A new variant is known to have been spammed to users via an email such as that detailed below. Detection for this variant will be included in the 4339 DAT files .

The spammed out email is likely to be formatted as follows:

From: (some username)@microsoft.com
Subject: MS Security
Body:

Welcome to Windows Update!

There are 10 critical updates available at this time

Get the latest updates available for your computer's operating system,
software, and hardware.

Windows Update scans your computer and provides you with a selection
of updates tailored just for you.

Checking for the latest version of the Windows Update software...

Depending on your connection speed, this might take a minute.
During this time, you may receive one or more security warnings.
Review each security warning to ensure that the content is signed by Microsoft, and then click Yes to install the software.

Follow the link :Windows Update

Open the fail,and new updates are installed.

The link within the message body leads to the following URL:

• (omitted w w w)
  microsoft-security-updates(dot com)

A dropper is downloaded from this site, MSTASKS.EXE (7,168 bytes). When run the dropper installs the following files:

• %WinDir%\SVCHOST.EXE (12,000 bytes) -  main component
• %WinDir%\WMSRO32.DLL (3,072 bytes) - keylogging DLL
• %WinDir%\INITES.INI - text message indicating successful installation, plus used for logged keystrokes 

The following Registry key is added to hook system startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "Windows Startup" = %WinDir%\SVCHOST.EXE

A data value is added also:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Mrvt
  "IDWin" = (data)

This data value is sent with the logged data in the email to the hacker.

Visited URLs are logged, as are keystrokes. Applications with the following strings in the window title are specifically targetted (financial services):

• e-gold
• Fleet
• Citi
• CIBC
• RBC
• Scotia

The trojan contains its own SMTP engine to mail out logged data. The following SMTP server is used for mailing (IP address carried within the trojan):

• 194.67.23.20

The sent email will use the following email address in the From: and To: headers:

• xlog@mail.ru

The mail will contain logged keystrokes together with the window title for the session from which they were logged.

Symptoms

• Files and Registry keys detailed above
• Outgoing SMTP traffic to the IP address detailed above

Method of Infection

This trojan is intended to log sensitive data on the victim machine. It is likely to be received via a spammed email message directing the user to a web site from where the dropper component is downloaded and run.

Removal

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Trj/Etsur.A (Panda)

• Trojan.Etsur (Symantec)

Characteristics

Characteristics -

There are multiple versions of this trojan - users are recommended to use the latest engine and DATs for maximum protection. This family bears similarity to Spy-Tofger , bearing the following characteristics:

• consists of dropper, DLL and EXE components
• monitors windows with certain titles to capture keystrokes in sessions concerning online financial services

March 16th 2004
A new variant is known to have been spammed to users via an email such as that detailed below. Detection for this variant will be included in the 4339 DAT files .

The spammed out email is likely to be formatted as follows:

From: (some username)@microsoft.com
Subject: MS Security
Body:

Welcome to Windows Update!

There are 10 critical updates available at this time

Get the latest updates available for your computer's operating system,
software, and hardware.

Windows Update scans your computer and provides you with a selection
of updates tailored just for you.

Checking for the latest version of the Windows Update software...

Depending on your connection speed, this might take a minute.
During this time, you may receive one or more security warnings.
Review each security warning to ensure that the content is signed by Microsoft, and then click Yes to install the software.

Follow the link :Windows Update

Open the fail,and new updates are installed.

The link within the message body leads to the following URL:

• (omitted w w w)
  microsoft-security-updates(dot com)

A dropper is downloaded from this site, MSTASKS.EXE (7,168 bytes). When run the dropper installs the following files:

• %WinDir%\SVCHOST.EXE (12,000 bytes) -  main component
• %WinDir%\WMSRO32.DLL (3,072 bytes) - keylogging DLL
• %WinDir%\INITES.INI - text message indicating successful installation, plus used for logged keystrokes 

The following Registry key is added to hook system startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "Windows Startup" = %WinDir%\SVCHOST.EXE

A data value is added also:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Mrvt
  "IDWin" = (data)

This data value is sent with the logged data in the email to the hacker.

Visited URLs are logged, as are keystrokes. Applications with the following strings in the window title are specifically targetted (financial services):

• e-gold
• Fleet
• Citi
• CIBC
• RBC
• Scotia

The trojan contains its own SMTP engine to mail out logged data. The following SMTP server is used for mailing (IP address carried within the trojan):

• 194.67.23.20

The sent email will use the following email address in the From: and To: headers:

• xlog@mail.ru

The mail will contain logged keystrokes together with the window title for the session from which they were logged.

Symptoms

Symptoms -

• Files and Registry keys detailed above
• Outgoing SMTP traffic to the IP address detailed above

Method of Infection

Method of Infection -

This trojan is intended to log sensitive data on the victim machine. It is likely to be received via a spammed email message directing the user to a web site from where the dropper component is downloaded and run.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A