McAfee > Theat Center > Virus Detail Page

Overview

-- Update June 2, 2008 --

A variant of this trojan family has recently been discovered which was used in a spear-phishing campaign.  It was sent to executives at a number of companies, purporting to be a notice from the US Tax Court.  If the link in the email is clicked, it indicates it's installing an Adobe Acrobat viewer, but in fact it's the PWS-Fireming.dll trojan.

More information on this incident can be found on the AvertLabs blog.

This trojan will download and execute malicious programs. It will also steal certificates stored in Internet Explorer.

Aliases

• Troj/YBHO-A (Sophos)

• Trojan-Downloader.Win32.Agent.caa (Kaspersky)

Characteristics

-- Update June 3, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://redmondmag.com/news/article.asp?EditorialsID=9926

-- Update June 2, 2008 --
A variant of this trojan family has recently been discovered which was used in a spear-phishing campaign.  It was sent to executives at a number of companies, purporting to be a notice from the US Tax Court.  If the link in the email is clicked, it indicates it's installing an Adobe Acrobat viewer, but in fact it's the PWS-Fireming.dll trojan.

More information on this incident can be found on the AvertLabs blog.

This trojan will download and execute malicious programs. It will also steal certificates stored in Internet Explorer.

The trojan will connect to the following URL to receive further commands:

• http://203.121.[removed].232:80/OOO4/[removed].php?mod=cmd&user=computername&ext=my.pfx

It uses the following user agent string to spoof Mozilla Firefox HTTP requests:

• Mozilla/5.0 Gecko/20050212 Firefox/1.5.0.2

Further malware can also be downloaded to the following path and then executed.

• [%USERPROFILE%]\Local Settings\Temp\aol90.exe

This trojan will also collect certificates stores from Internet Explorer and send this information to the server. This information is first written to

• [%WINDIR%]\kb0758257.log

where it is then uploaded using a HTTP POST request.

(where %USERPROFILE% is the user profile directory on Windows e.g. C:\Documents and Settings\User Name\Local Settings,
where %WINDIR% is the Windows directory e.g. C:\Windows)

Symptoms

Presence of unexpected internet connection to previously mentioned url.
Presence of previously mentioned file.

Method of Infection

N/A

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

-- Update June 2, 2008 --

A variant of this trojan family has recently been discovered which was used in a spear-phishing campaign.  It was sent to executives at a number of companies, purporting to be a notice from the US Tax Court.  If the link in the email is clicked, it indicates it's installing an Adobe Acrobat viewer, but in fact it's the PWS-Fireming.dll trojan.

More information on this incident can be found on the AvertLabs blog.

This trojan will download and execute malicious programs. It will also steal certificates stored in Internet Explorer.

Aliases

• Troj/YBHO-A (Sophos)

• Trojan-Downloader.Win32.Agent.caa (Kaspersky)

Characteristics

Characteristics -

-- Update June 3, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://redmondmag.com/news/article.asp?EditorialsID=9926

-- Update June 2, 2008 --
A variant of this trojan family has recently been discovered which was used in a spear-phishing campaign.  It was sent to executives at a number of companies, purporting to be a notice from the US Tax Court.  If the link in the email is clicked, it indicates it's installing an Adobe Acrobat viewer, but in fact it's the PWS-Fireming.dll trojan.

More information on this incident can be found on the AvertLabs blog.

This trojan will download and execute malicious programs. It will also steal certificates stored in Internet Explorer.

The trojan will connect to the following URL to receive further commands:

• http://203.121.[removed].232:80/OOO4/[removed].php?mod=cmd&user=computername&ext=my.pfx

It uses the following user agent string to spoof Mozilla Firefox HTTP requests:

• Mozilla/5.0 Gecko/20050212 Firefox/1.5.0.2

Further malware can also be downloaded to the following path and then executed.

• [%USERPROFILE%]\Local Settings\Temp\aol90.exe

This trojan will also collect certificates stores from Internet Explorer and send this information to the server. This information is first written to

• [%WINDIR%]\kb0758257.log

where it is then uploaded using a HTTP POST request.

(where %USERPROFILE% is the user profile directory on Windows e.g. C:\Documents and Settings\User Name\Local Settings,
where %WINDIR% is the Windows directory e.g. C:\Windows)

Symptoms

Symptoms -

Presence of unexpected internet connection to previously mentioned url.
Presence of previously mentioned file.

Method of Infection

Method of Infection -

N/A

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A