McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

A recent variant was found to be stealing data from the user's cookies and send the date to the remote server.

Aliases

• Infostealer (Symantec)

• PWS:Win32/Zbot.M (Microsoft MP CL)

Characteristics

A recent variant was found to be stealing data from the user's cookies and send the date to the remote server. They have been observed in attachments of spoofed emails.

Upon execution, it creates the following files and folder:

• %Windir%\system32\lowsec (folder)
• %Windir%\system32\lowsec\local.ds (data file)
• %Windir%\system32\lowsec\user.ds (data file)
• C:\Documents and Settings\NetworkService\Cookies\index.dat (date file)
• %Windir%\system32\sdra64.exe (Random size - detected as Spy-Agent.du)

(Where %Windir% is the Windows folder; C:\Windows)

Upon execution, the following registry keys are added:

• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\HTTP\Parameters\Synchronize
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\Synchronize
• HKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{random}
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\{random}
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}

The following registry values are added:

• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{random}\{23343233-2C66-3B33-3432-343233343233}: F6 0C F4 0E
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}\{3039636B-5F3D-6C64-6675-696870667265}: F7 09 F2 0D
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}\{33373039-3132-3864-6B30-303233343434}: 47 09 F2 0D

The following registry values are modified:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "%Windir%\system32\userinit.exe,%Windir%\system32\sdra64.exe,"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies: "C:\Documents and Settings\LocalService\Cookies"

The trojan inject its malcode to the following process:

• winlogon.exe

The trojan attempts to establish connection with the following remote hosts:

• 91.212.65.5   Port: 80
• 91.212.65.74   Port: 80

This trojan can connect to the following site(s) to communicate stolen data, log actions and receive instructions:

• http://mn-room.ru/{blocked}/dir.cfg
• http://91.212.65.74/{blocked}/dir.php

Symptoms

Existence of mentioned files/registry keys.
Http connections to the mentioned remote host.

Method of Infection

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

A recent variant was found to be stealing data from the user's cookies and send the date to the remote server.

Aliases

• Infostealer (Symantec)

• PWS:Win32/Zbot.M (Microsoft MP CL)

Characteristics

Characteristics -

A recent variant was found to be stealing data from the user's cookies and send the date to the remote server. They have been observed in attachments of spoofed emails.

Upon execution, it creates the following files and folder:

• %Windir%\system32\lowsec (folder)
• %Windir%\system32\lowsec\local.ds (data file)
• %Windir%\system32\lowsec\user.ds (data file)
• C:\Documents and Settings\NetworkService\Cookies\index.dat (date file)
• %Windir%\system32\sdra64.exe (Random size - detected as Spy-Agent.du)

(Where %Windir% is the Windows folder; C:\Windows)

Upon execution, the following registry keys are added:

• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\HTTP\Parameters\Synchronize
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\Synchronize
• HKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{random}
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\{random}
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}

The following registry values are added:

• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{random}\{23343233-2C66-3B33-3432-343233343233}: F6 0C F4 0E
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}\{3039636B-5F3D-6C64-6675-696870667265}: F7 09 F2 0D
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}\{33373039-3132-3864-6B30-303233343434}: 47 09 F2 0D

The following registry values are modified:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "%Windir%\system32\userinit.exe,%Windir%\system32\sdra64.exe,"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies: "C:\Documents and Settings\LocalService\Cookies"

The trojan inject its malcode to the following process:

• winlogon.exe

The trojan attempts to establish connection with the following remote hosts:

• 91.212.65.5   Port: 80
• 91.212.65.74   Port: 80

This trojan can connect to the following site(s) to communicate stolen data, log actions and receive instructions:

• http://mn-room.ru/{blocked}/dir.cfg
• http://91.212.65.74/{blocked}/dir.php

Symptoms

Symptoms -

Existence of mentioned files/registry keys.
Http connections to the mentioned remote host.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A