McAfee > Theat Center > Virus Detail Page

Overview

This detection is for a spy trojan which upon running on the victim’s machine, may be used to upload stolen information to a pre-configured website.

The characteristics of this trojan with regards to file names, sites accessed, files downloaded, etc. can differ from one version to another, depending on the way in which the attacker had configured it. Therefore, this is a general description.

Aliases

• Backdoor.Paproxy [Symantec]

• Logger.Zbot.dun [Ewido]

• Trojan-Spy.Win32.Zbot.dun [Kaspersky]

• Trojan.Proxy.3211 [DrWeb]

• Trojan.Spy.Wsnpoem.GC [BitDefender]

• W32/Downldr2.DIFQ [F-Prot]

• Win32/Kollah.NE [eTrust-Vet]

• Win32/Spy.Agent.NIC [Nod32]

Characteristics

When executed, this trojan drops the following files:

• %System%\ntos.exe [Copy of Trojan]
• %System%\wsnpoem\audio.dll [Data File]
• %System%\wsnpoem\video.dll [Data File]

Note:

• %System% is a variable that refers to the System folder. In a Windows XP machine, this should by default refer to the “C:\Windows\System32” folder

The trojan also modifies the following registry values:

• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
  Userinit = "%System%\userinit.exe,%System%\ntos.exe,"

This is done to ensure that ntos.exe runs every time Windows starts.

The trojan then injects itself into the address space of the following system processes:

• services.exe
• lsass.exe
• alg.exe

The trojan then attempts to connected to the following URL to download more malware:

• http://blatundalqik.ru/revolution/[Removed]

But at the time of writing this description, this URL seemed down.

Symptoms

• Desktop firewall program alerting that a foreign program is trying to access the internet
• Presence of the files/Registry keys mentioned above
  

Method of Infection

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial.

Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.
Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This detection is for a spy trojan which upon running on the victim’s machine, may be used to upload stolen information to a pre-configured website.

The characteristics of this trojan with regards to file names, sites accessed, files downloaded, etc. can differ from one version to another, depending on the way in which the attacker had configured it. Therefore, this is a general description.

Aliases

• Backdoor.Paproxy [Symantec]

• Logger.Zbot.dun [Ewido]

• Trojan-Spy.Win32.Zbot.dun [Kaspersky]

• Trojan.Proxy.3211 [DrWeb]

• Trojan.Spy.Wsnpoem.GC [BitDefender]

• W32/Downldr2.DIFQ [F-Prot]

• Win32/Kollah.NE [eTrust-Vet]

• Win32/Spy.Agent.NIC [Nod32]

Characteristics

Characteristics -

When executed, this trojan drops the following files:

• %System%\ntos.exe [Copy of Trojan]
• %System%\wsnpoem\audio.dll [Data File]
• %System%\wsnpoem\video.dll [Data File]

Note:

• %System% is a variable that refers to the System folder. In a Windows XP machine, this should by default refer to the “C:\Windows\System32” folder

The trojan also modifies the following registry values:

• Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
  Userinit = "%System%\userinit.exe,%System%\ntos.exe,"

This is done to ensure that ntos.exe runs every time Windows starts.

The trojan then injects itself into the address space of the following system processes:

• services.exe
• lsass.exe
• alg.exe

The trojan then attempts to connected to the following URL to download more malware:

• http://blatundalqik.ru/revolution/[Removed]

But at the time of writing this description, this URL seemed down.

Symptoms

Symptoms -

• Desktop firewall program alerting that a foreign program is trying to access the internet
• Presence of the files/Registry keys mentioned above
  

Method of Infection

Method of Infection -

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial.

Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.
Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A