McAfee > Theat Center > Virus Detail Page

Overview

This is a password stealing trojan that captures outlook account
information and register it to the remote porn site via http.

Aliases

• Spy/VB!024 (Fortinet)

• Trojan-Spy.Win32.VB.mn (Kaspersky)

• Trojan.Hachilem (Symantec)

• TSPY_VB.BHG (Trend Micro)

• W32/Smalltroj.HUL (Norman)

Characteristics

Upon execution, the trojan drops itself to the following location.

• SYSTEMDIR%\i-milk.exe ( 516096 bytes )

The following registry keys are added.

• HKYE_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  "i-milk" = SYSTEMDIR%\i-milk.exe
• HKYE_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
  "i-milk" = SYSTEMDIR%\i-milk.exe

Then it captures the following information.

• Computer Name
• User Name
• Outlook Default userid/password

The trojan registers the stolen userid/password to the following porn site.

• www.i-milk[removed]

Symptoms

Presence of the mentioned registry key and files.

Method of Infection

N/A. Password Stealers are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these additionally are mass spammed by the author to entice people into double-clicking on them.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Password Stealer onto the user's system with no user interaction.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a password stealing trojan that captures outlook account
information and register it to the remote porn site via http.

Aliases

• Spy/VB!024 (Fortinet)

• Trojan-Spy.Win32.VB.mn (Kaspersky)

• Trojan.Hachilem (Symantec)

• TSPY_VB.BHG (Trend Micro)

• W32/Smalltroj.HUL (Norman)

Characteristics

Characteristics -

Upon execution, the trojan drops itself to the following location.

• SYSTEMDIR%\i-milk.exe ( 516096 bytes )

The following registry keys are added.

• HKYE_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  "i-milk" = SYSTEMDIR%\i-milk.exe
• HKYE_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
  "i-milk" = SYSTEMDIR%\i-milk.exe

Then it captures the following information.

• Computer Name
• User Name
• Outlook Default userid/password

The trojan registers the stolen userid/password to the following porn site.

• www.i-milk[removed]

Symptoms

Symptoms -

Presence of the mentioned registry key and files.

Method of Infection

Method of Infection -

N/A. Password Stealers are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these additionally are mass spammed by the author to entice people into double-clicking on them.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Password Stealer onto the user's system with no user interaction.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A