Content

Uploader-AH

Type
Trojan
SubType
Win32
Discovery Date
02/26/2007
Length
20 Megabytes
Minimum DAT
4971 (02/26/2007)
Updated DAT
5761 (10/04/2009)
Minimum Engine
5.1.00
Description Added
02/26/2007
Description Modified
03/01/2007 11:05 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update March 1, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.itwire.com.au/content/view/10056/53

--

Upon execution, the trojan copies itself to the following files in the current directory:

  • taskmgr.exe
  • UGU.SCR

The trojan periodically captures the following information in the victim machine.

  • screenshot: C:\MI2\SHOT.bmp
  • ip address: C:\MI3\IP.txt
  • run the command: "tracert www.yahoo.com > C:\MI3\LOOT.txt"

Then trojan uploads those files to the remote site via ftp.

  • ftp.isweb.infoseek.co.jp

Symptoms

Upon execution, the trojan shows the pictures with Japanese messages.

The example of the picture:

 

The trojan also attempts to corrupt the victim machine.

  • Deletes all files in C:\Program Files
  • Replaces executable files with the bmp files with extension ".jpg"

Method of Infection

The trojan is spread through the Winny P2P network.

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

The Uploader-AH trojan is designed to send the screenshot and the network information to the remote ftp server.

Aliases

  • Troj/Pirlames-A (Sophos)
  • Trojan.Pirlames (Symantec)
  • Trojan.Win32.VB.axa (Kaspersky)
  • TSPY_DENUTARO.DN (Trend Micro)

Characteristics

Characteristics -

-- Update March 1, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.itwire.com.au/content/view/10056/53

--

Upon execution, the trojan copies itself to the following files in the current directory:

  • taskmgr.exe
  • UGU.SCR

The trojan periodically captures the following information in the victim machine.

  • screenshot: C:\MI2\SHOT.bmp
  • ip address: C:\MI3\IP.txt
  • run the command: "tracert www.yahoo.com > C:\MI3\LOOT.txt"

Then trojan uploads those files to the remote site via ftp.

  • ftp.isweb.infoseek.co.jp

Symptoms

Symptoms -

Upon execution, the trojan shows the pictures with Japanese messages.

The example of the picture:

 

The trojan also attempts to corrupt the victim machine.

  • Deletes all files in C:\Program Files
  • Replaces executable files with the bmp files with extension ".jpg"

Method of Infection

Method of Infection -

The trojan is spread through the Winny P2P network.

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A