McAfee > Theat Center > Virus Detail Page

Overview

This trojan uploads harvested email address from infected computers to a website.  Most likely the harvested addresses are used for SPAM (unsolicited email) purposes.  They may be sold to spammers by the trojan author or possibly used to seed other viruses and trojans in the future.

Characteristics

When executed, the trojan does not displays anything on the screen. It starts scanning files on the infected system, looking for email addresses to post to one of the following sites:

• http://81.177.22.xxx/1.jpg
• http://81.177.26.xxx

The trojan harvests email addresses from files with the following extensions:

.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.eml
.htm
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.sht
.shtm
.stm
.tbb
.txt
.uin
.wab
.wsh
.xls
.xml

The trojan avoids harvesting addresses containing the following strings:

@avp.
@foo
@hotmail
@iana
@messagelab
@microsoft
@msn
abuse
admin
anyone@
bugs@
cafee
certific
contract@
f-secur
feste
free-av
gold-certs@
google
help@
icrosoft
info@
kasp
linux
listserv
local
news
nobody@
noone@
noreply
ntivi
panda
postmaster@
rating@
root@
samples
sopho
spam
support
unix
update
winrar
winzip

Symptoms

Unexpected traffic to the following ip addresses:

• http://81.177.22.xxx
• http://81.177.26.xxx

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This trojan uploads harvested email address from infected computers to a website.  Most likely the harvested addresses are used for SPAM (unsolicited email) purposes.  They may be sold to spammers by the trojan author or possibly used to seed other viruses and trojans in the future.

Characteristics

Characteristics -

When executed, the trojan does not displays anything on the screen. It starts scanning files on the infected system, looking for email addresses to post to one of the following sites:

• http://81.177.22.xxx/1.jpg
• http://81.177.26.xxx

The trojan harvests email addresses from files with the following extensions:

.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.eml
.htm
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.sht
.shtm
.stm
.tbb
.txt
.uin
.wab
.wsh
.xls
.xml

The trojan avoids harvesting addresses containing the following strings:

@avp.
@foo
@hotmail
@iana
@messagelab
@microsoft
@msn
abuse
admin
anyone@
bugs@
cafee
certific
contract@
f-secur
feste
free-av
gold-certs@
google
help@
icrosoft
info@
kasp
linux
listserv
local
news
nobody@
noone@
noreply
ntivi
panda
postmaster@
rating@
root@
samples
sopho
spam
support
unix
update
winrar
winzip

Symptoms

Symptoms -

Unexpected traffic to the following ip addresses:

• http://81.177.22.xxx
• http://81.177.26.xxx

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A