Content

Spam-YFakeAccount

Type
Trojan
SubType
Spam
Discovery Date
10/26/2005
Length
varies
Minimum DAT
4614 (10/27/2005)
Updated DAT
4680 (01/23/2006)
Minimum Engine
5.1.00
Description Added
10/26/2005
Description Modified
10/26/2005 10:39 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This Trojan makes use of social engineering to create fake yahoo accounts possibly to send spam mails from those accounts later.

It can download various images from different sites and compose them together to make its own html page. For example it uses asexvideo.com to get a random adult image and an account creation challenge image from Yahoo to merge together. It then displays the image hoping that the user will decode the challenge image in the text form.

To lure the user to type the text shown in the image the adult image displays a banner with the text  "Win a free pass to my webcam" followed by Yahoo challenge image. As soon as the infected user enters the text it will be used to create fake yahoo accounts, probably to spam later.

To fill in the Yahoo form in order to create the fake account, it downloads random city names with random zip code from asexvideo.com. 

The Trojan adds a DLL file as browser helper object. The DLL file keeps downloading the updated copies of trojan in regular intervals. The files are stored with random names (8 characters)

  • %programfiles%\windrv\utlis\(random).exe (~113 KB)
  • %programfiles%\windrv\utlis\(random).dll (~184 KB)
  • %programfiles%\windrv\utlis\Remove.exe (73,216 bytes)
  • %windir%\(random).exe (~113KB)

It adds the following entry to Add/Remove programs, which unregisters the DLL but does not remove all the trojan files which results in reinstall after reboot.

  • WinDrv(Remove Only)

URLs Contacted

  • websearch01.mcclient.com
  • hypercount.com
  • retrostats.com
  • asexvideo.com
  • digitalsinsations.com

Registry Changes

  • HKEY_CURRENT_USERS\Software\Microsoft\Windows\
    CurrentVersion\Run\MCClient: "%programfiles%\(random.exe)"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {DF56F9D5-EF50-400D-B616-6EEB7AE63C55}\InprocServer32\: "C:\Program Files\Windrv\Util\(random).dll"
  • HKEY_CURRENT_USERS
    \Software\VB and VBA Program Settings\WSA\KeyB
  • HKEY_CURRENT_USERS
    \Software\VB and VBA Program Settings\WSA\Auth
  • HKEY_CURRENT_USERS
    \Software\VB and VBA Program Settings\WSA\Auth
  • HKEY_CURRENT_USERS
    \Software\VB and VBA Program Settings\WSA
  • HKEY_CURRENT_USERS
    \Software\VB and VBA Program Settings\WS\Stats
  • HKEY_CURRENT_USERS
    \Software\VB and VBA Program Settings\WS\Stats
  • HKEY_CURRENT_USERS
    \Software\VB and VBA Program Settings\WS\Info
    "BrowserVersion"="IE 6.0.2800.1106"
  • HKEY_CURRENT_USERS
    \Software\VB and VBA Program Settings\WS\Info
    "HP"="about:blank"
  • HKEY_CURRENT_USERS
    \Software\VB and VBA Program Settings\WS\Info
  • HKEY_CLASSES_ROOT\Windrv.class\Clsid
    "default"="{DF56F9D5-EF50-400D-B616-6EEB7AE63C55}"
  • HKEY_CLASSES_ROOT\Windrv.class\Clsid
  • HKEY_CLASSES_ROOT\Windrv.class
    "default"="Windrv.class"
  • HKEY_CLASSES_ROOT\Windrv.class
  • HKEY_CLASSES_ROOT\TypeLib\{963004A0-1A62-4740-ABCC-737DE5B5BF4B}
    \1.0\HELPDIR
    "default"="C:\Program Files\Windrv\Util"
  • HKEY_CLASSES_ROOT\TypeLib\{963004A0-1A62-4740-ABCC-737DE5B5BF4B}
    \1.0\HELPDIR
  • HKEY_CLASSES_ROOT\TypeLib\{963004A0-1A62-4740-ABCC-737DE5B5BF4B}
    \1.0\FLAGS
    "default"="0"
  • HKEY_CLASSES_ROOT\TypeLib\{963004A0-1A62-4740-ABCC-737DE5B5BF4B}
    \1.0\FLAGS
  • HKEY_CLASSES_ROOT\TypeLib\{963004A0-1A62-4740-ABCC-737DE5B5BF4B}
    \1.0\0\win32
    "default"="C:\Program Files\Windrv\Util\(random).dll"
  • HKEY_CLASSES_ROOT\TypeLib\{963004A0-1A62-4740-ABCC-737DE5B5BF4B}
    \1.0\0
  • HKEY_CLASSES_ROOT\TypeLib\{963004A0-1A62-4740-ABCC-737DE5B5BF4B}
    \1.0
    "default"="Windrv"
  • HKEY_CLASSES_ROOT\Interface\{76476771-8A26-4C27-AB22
    -88F572F269FA}\TypeLib
    "Version"="1.0"
  • HKEY_CLASSES_ROOT\Interface\{76476771-8A26-4C27-AB22
    -88F572F269FA}\TypeLib
    "(default)"="{963004A0-1A62-4740-ABCC-737DE5B5BF4B}"
  • HKEY_CLASSES_ROOT\Interface\{76476771-8A26-4C27-AB22
    -88F572F269FA}\TypeLib
  • HKEY_CLASSES_ROOT\Interface\{76476771-8A26-4C27-AB22
    -88F572F269FA}\ProxyStubClsid32
    "default"="{00020424-0000-0000-C000-000000000046}"
  • HKEY_CLASSES_ROOT\Interface\{76476771-8A26-4C27-AB22
    -88F572F269FA}\ProxyStubClsid
    "default"="{00020424-0000-0000-C000-000000000046}"
  • HKEY_CLASSES_ROOT\Interface\{76476771-8A26-4C27-AB22
    -88F572F269FA}
    "default"="class"
  • HKEY_CLASSES_ROOT\CLSID\{DF56F9D5-EF50-400D-B616-6EEB7AE63C55}
    \VERSION
    "default"="1.0"
  • HKEY_CLASSES_ROOT\CLSID\{DF56F9D5-EF50-400D-B616-6EEB7AE63C55}
    \VERSION
  • HKEY_CLASSES_ROOT\CLSID\{DF56F9D5-EF50-400D-B616-6EEB7AE63C55}
    \TypeLib
    "default"="{963004A0-1A62-4740-ABCC-737DE5B5BF4B}"
  • HKEY_CLASSES_ROOT\CLSID\{DF56F9D5-EF50-400D-B616-6EEB7AE63C55}
    \ProgID
    "default"="Windrv.class"
  • HKEY_CLASSES_ROOT\CLSID\{DF56F9D5-EF50-400D-B616-6EEB7AE63C55}
    \InprocServer32
    "ThreadingModel"="Apartment"
  • HKEY_CLASSES_ROOT\CLSID\{DF56F9D5-EF50-400D-B616-6EEB7AE63C55}
    \InprocServer32
    "(default)"="C:\Program Files\Windrv\Util\(random).dll"
  • HKEY_CLASSES_ROOT\CLSID\{DF56F9D5-EF50-400D-B616-6EEB7AE63C55}
    "default"="Windrv"

Symptoms

  • Presence of aformentioned regsitry keys, files and directories.
  • Randomly named processes in the process explorer.
  • Popup image similar to above in regular intervals.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

This Trojan makes use of social engineering to create fake yahoo accounts possibly to send spam mails from those accounts later.

It can download various images from different sites and compose them together to make its own html page. For example it uses asexvideo.com to get a random adult image and an account creation challenge image from Yahoo to merge together. It then displays the image hoping that the user will decode the challenge image in the text form.

To lure the user to type the text shown in the image the adult image displays a banner with the text  "Win a free pass to my webcam" followed by Yahoo challenge image. As soon as the infected user enters the text it will be used to create fake yahoo accounts, probably to spam later.

To fill in the Yahoo form in order to create the fake account, it downloads random city names with random zip code from asexvideo.com. 

The Trojan adds a DLL file as browser helper object. The DLL file keeps downloading the updated copies of trojan in regular intervals. The files are stored with random names (8 characters)

  • %programfiles%\windrv\utlis\(random).exe (~113 KB)
  • %programfiles%\windrv\utlis\(random).dll (~184 KB)
  • %programfiles%\windrv\utlis\Remove.exe (73,216 bytes)
  • %windir%\(random).exe (~113KB)

It adds the following entry to Add/Remove programs, which unregisters the DLL but does not remove all the trojan files which results in reinstall after reboot.

  • WinDrv(Remove Only)

URLs Contacted

  • websearch01.mcclient.com
  • hypercount.com
  • retrostats.com
  • asexvideo.com
  • digitalsinsations.com

Registry Changes

  • HKEY_CURRENT_USERS\Software\Microsoft\Windows\
    CurrentVersion\Run\MCClient: "%programfiles%\(random.exe)"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {DF56F9D5-EF50-400D-B616-6EEB7AE63C55}\InprocServer32\: "C:\Program Files\Windrv\Util\(random).dll"
  • HKEY_CURRENT_USERS
    \Software\VB and VBA Program Settings\WSA\KeyB
  • HKEY_CURRENT_USERS
    \Software\VB and VBA Program Settings\WSA\Auth
  • HKEY_CURRENT_USERS
    \Software\VB and VBA Program Settings\WSA\Auth
  • HKEY_CURRENT_USERS
    \Software\VB and VBA Program Settings\WSA
  • HKEY_CURRENT_USERS
    \Software\VB and VBA Program Settings\WS\Stats
  • HKEY_CURRENT_USERS
    \Software\VB and VBA Program Settings\WS\Stats
  • HKEY_CURRENT_USERS
    \Software\VB and VBA Program Settings\WS\Info
    "BrowserVersion"="IE 6.0.2800.1106"
  • HKEY_CURRENT_USERS
    \Software\VB and VBA Program Settings\WS\Info
    "HP"="about:blank"
  • HKEY_CURRENT_USERS
    \Software\VB and VBA Program Settings\WS\Info
  • HKEY_CLASSES_ROOT\Windrv.class\Clsid
    "default"="{DF56F9D5-EF50-400D-B616-6EEB7AE63C55}"
  • HKEY_CLASSES_ROOT\Windrv.class\Clsid
  • HKEY_CLASSES_ROOT\Windrv.class
    "default"="Windrv.class"
  • HKEY_CLASSES_ROOT\Windrv.class
  • HKEY_CLASSES_ROOT\TypeLib\{963004A0-1A62-4740-ABCC-737DE5B5BF4B}
    \1.0\HELPDIR
    "default"="C:\Program Files\Windrv\Util"
  • HKEY_CLASSES_ROOT\TypeLib\{963004A0-1A62-4740-ABCC-737DE5B5BF4B}
    \1.0\HELPDIR
  • HKEY_CLASSES_ROOT\TypeLib\{963004A0-1A62-4740-ABCC-737DE5B5BF4B}
    \1.0\FLAGS
    "default"="0"
  • HKEY_CLASSES_ROOT\TypeLib\{963004A0-1A62-4740-ABCC-737DE5B5BF4B}
    \1.0\FLAGS
  • HKEY_CLASSES_ROOT\TypeLib\{963004A0-1A62-4740-ABCC-737DE5B5BF4B}
    \1.0\0\win32
    "default"="C:\Program Files\Windrv\Util\(random).dll"
  • HKEY_CLASSES_ROOT\TypeLib\{963004A0-1A62-4740-ABCC-737DE5B5BF4B}
    \1.0\0
  • HKEY_CLASSES_ROOT\TypeLib\{963004A0-1A62-4740-ABCC-737DE5B5BF4B}
    \1.0
    "default"="Windrv"
  • HKEY_CLASSES_ROOT\Interface\{76476771-8A26-4C27-AB22
    -88F572F269FA}\TypeLib
    "Version"="1.0"
  • HKEY_CLASSES_ROOT\Interface\{76476771-8A26-4C27-AB22
    -88F572F269FA}\TypeLib
    "(default)"="{963004A0-1A62-4740-ABCC-737DE5B5BF4B}"
  • HKEY_CLASSES_ROOT\Interface\{76476771-8A26-4C27-AB22
    -88F572F269FA}\TypeLib
  • HKEY_CLASSES_ROOT\Interface\{76476771-8A26-4C27-AB22
    -88F572F269FA}\ProxyStubClsid32
    "default"="{00020424-0000-0000-C000-000000000046}"
  • HKEY_CLASSES_ROOT\Interface\{76476771-8A26-4C27-AB22
    -88F572F269FA}\ProxyStubClsid
    "default"="{00020424-0000-0000-C000-000000000046}"
  • HKEY_CLASSES_ROOT\Interface\{76476771-8A26-4C27-AB22
    -88F572F269FA}
    "default"="class"
  • HKEY_CLASSES_ROOT\CLSID\{DF56F9D5-EF50-400D-B616-6EEB7AE63C55}
    \VERSION
    "default"="1.0"
  • HKEY_CLASSES_ROOT\CLSID\{DF56F9D5-EF50-400D-B616-6EEB7AE63C55}
    \VERSION
  • HKEY_CLASSES_ROOT\CLSID\{DF56F9D5-EF50-400D-B616-6EEB7AE63C55}
    \TypeLib
    "default"="{963004A0-1A62-4740-ABCC-737DE5B5BF4B}"
  • HKEY_CLASSES_ROOT\CLSID\{DF56F9D5-EF50-400D-B616-6EEB7AE63C55}
    \ProgID
    "default"="Windrv.class"
  • HKEY_CLASSES_ROOT\CLSID\{DF56F9D5-EF50-400D-B616-6EEB7AE63C55}
    \InprocServer32
    "ThreadingModel"="Apartment"
  • HKEY_CLASSES_ROOT\CLSID\{DF56F9D5-EF50-400D-B616-6EEB7AE63C55}
    \InprocServer32
    "(default)"="C:\Program Files\Windrv\Util\(random).dll"
  • HKEY_CLASSES_ROOT\CLSID\{DF56F9D5-EF50-400D-B616-6EEB7AE63C55}
    "default"="Windrv"

Symptoms

Symptoms -

  • Presence of aformentioned regsitry keys, files and directories.
  • Randomly named processes in the process explorer.
  • Popup image similar to above in regular intervals.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A