McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

This trojan captures login and password information for any visited website. It also steals outlook address book information and sends it via HTTP POST.

It contacts 64.71.167.120 and sends out the following information

• IP
• Open ports
• Passwords
• Email addresses stolen from outlook.

Web browsing becomes extremely slow when this trojan is loaded.

System Changes

Files Added

• c:\program files\common files\microsoft shared\web folders
  \ibm00001.exe ( 2048 bytes )
• %WINDIR% \temp\$_2341234.tmp
• c:\program files\common files\microsoft shared\web folders
  \ibm00001.dll ( 64512 bytes )
• c:\program files\common files\microsoft shared\web folders
  \ibm00002.dll ( 69632 bytes )
• %WINDIR% \temp\$_2341233.tmp

Registry

The following registry keys are written:

• hkey_current_user\software\microsoft\windows\currentversion\run
  \shell=""C:\Program Files\Common Files\Microsoft Shared\Web
  Folders\ibm00001.exe""
  
• hkey_local_machine\software\microsoft\windows nt\currentversion
  \winlogon\shell="explorer.exe
  "C:\Program Files\Common Files\Microsoft Shared\Web Folders
  \ibm00001.exe""
  

Symptoms

Presence of aforementioned files and registry keys.

The applications creates the following network connection(s):

• explorer.exe server:64.71.167.120 port:80

Method of Infection

N/A. Password Stealers are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Additionally many of these are mass spammed by the author to entice people into double-clicking on them.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Password Stealer onto the user's system with no user interaction.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

This trojan captures login and password information for any visited website. It also steals outlook address book information and sends it via HTTP POST.

It contacts 64.71.167.120 and sends out the following information

• IP
• Open ports
• Passwords
• Email addresses stolen from outlook.

Web browsing becomes extremely slow when this trojan is loaded.

System Changes

Files Added

• c:\program files\common files\microsoft shared\web folders
  \ibm00001.exe ( 2048 bytes )
• %WINDIR% \temp\$_2341234.tmp
• c:\program files\common files\microsoft shared\web folders
  \ibm00001.dll ( 64512 bytes )
• c:\program files\common files\microsoft shared\web folders
  \ibm00002.dll ( 69632 bytes )
• %WINDIR% \temp\$_2341233.tmp

Registry

The following registry keys are written:

• hkey_current_user\software\microsoft\windows\currentversion\run
  \shell=""C:\Program Files\Common Files\Microsoft Shared\Web
  Folders\ibm00001.exe""
  
• hkey_local_machine\software\microsoft\windows nt\currentversion
  \winlogon\shell="explorer.exe
  "C:\Program Files\Common Files\Microsoft Shared\Web Folders
  \ibm00001.exe""
  

Symptoms

Symptoms -

Presence of aforementioned files and registry keys.

The applications creates the following network connection(s):

• explorer.exe server:64.71.167.120 port:80

Method of Infection

Method of Infection -

N/A. Password Stealers are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Additionally many of these are mass spammed by the author to entice people into double-clicking on them.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Password Stealer onto the user's system with no user interaction.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A