McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

This detection is for a keylogging trojan, designed to steal data from the victim machine. The threat consists of two components:

• an EXE which installs itself on the victim machine, hooking system startup.
• a DLL, dropped by the above EXE. This DLL is injected into the EXPLORER.EXE process on the victim machine. This technique is often used as a means of bypassing personal firewall protection (EXPLORER.EXE is often granted permissions 'foreign' processes are not).

The trojan contains its own SMTP engine to construct outgoing messages containing the stolen data.

The following files are dropped into the Windows system directory on the victim machine:

• %SysDir%\SVCROOT.EXE (8,704 bytes)
• %SysDir%\SVCROOT.DLL (5,120 bytes)

The following Registry key is added to hook system startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "explorer" = %SysDir%\SVCROOT.EXE

Logged keystrokes (together with the application they are associated with) are written to the following file in the Windows system directory:

• %SysDir%\GDISYS32.DLL

The trojan also logs details specific to Internet Explorer (IEXPLORE.EXE) sessions. The window title (typically the title from within the HTML) is logged together with the filename of the page being viewed, and keystrokes entered within that session. This data is logged to the following file:

• %SysDir%\MSNSYS32.DLL

The trojan uses its own SMTP engine to construct an email message containing the harvested data.

Symptoms

• Appearance of message boxes such as the following at system startup:
  
  
  
  
  
  
• Prompts from the personal firewall that EXPLORER.EXE is trying to perform a DNS lookup for the following remote servers:
  • smtp.hotbox.ru (used for sending email)
  • irc.ircnet.ru
• Files and Registry keys as detailed above.

Method of Infection

This is a trojan intended to steal data from the victim machine.

Removal

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

This detection is for a keylogging trojan, designed to steal data from the victim machine. The threat consists of two components:

• an EXE which installs itself on the victim machine, hooking system startup.
• a DLL, dropped by the above EXE. This DLL is injected into the EXPLORER.EXE process on the victim machine. This technique is often used as a means of bypassing personal firewall protection (EXPLORER.EXE is often granted permissions 'foreign' processes are not).

The trojan contains its own SMTP engine to construct outgoing messages containing the stolen data.

The following files are dropped into the Windows system directory on the victim machine:

• %SysDir%\SVCROOT.EXE (8,704 bytes)
• %SysDir%\SVCROOT.DLL (5,120 bytes)

The following Registry key is added to hook system startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "explorer" = %SysDir%\SVCROOT.EXE

Logged keystrokes (together with the application they are associated with) are written to the following file in the Windows system directory:

• %SysDir%\GDISYS32.DLL

The trojan also logs details specific to Internet Explorer (IEXPLORE.EXE) sessions. The window title (typically the title from within the HTML) is logged together with the filename of the page being viewed, and keystrokes entered within that session. This data is logged to the following file:

• %SysDir%\MSNSYS32.DLL

The trojan uses its own SMTP engine to construct an email message containing the harvested data.

Symptoms

Symptoms -

• Appearance of message boxes such as the following at system startup:
  
  
  
  
  
  
• Prompts from the personal firewall that EXPLORER.EXE is trying to perform a DNS lookup for the following remote servers:
  • smtp.hotbox.ru (used for sending email)
  • irc.ircnet.ru
• Files and Registry keys as detailed above.

Method of Infection

Method of Infection -

This is a trojan intended to steal data from the victim machine.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A