McAfee > Theat Center > Virus Detail Page

Overview

This description is for a password stealing malware, which attempts to steal user information and post them to a pre defined site.

The characteristics of this password stealer with regards to passwords stolen, sites accessed, files downloaded etc will differ, depending on the way in which the attacker had configured it. Hence, this is a general description.

Aliases

• Trj/CI.A [Panda]

• Trojan-Downloader.Win32.FakeRean [Sunbelt]

• TrojWare.Win32.PSW.LdPinch.Gen [Comodo]

• Win32/TrojanDropper.Agent.OKG [Nod32]

Characteristics

-- Update November 2, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at: http://blog.threatexpert.com/2009/11/new-moon-trojan.html

--

When executed, this malware displays an erotic image to distract the user, and then drops the following files:

• %Windir%\exploree.exe [Detected as PWS-CuteMoon]
• %Windir%\svcoost.exe [Detected as PWS-CuteMoon]
• %System%\154.bat [Non malicious batch file]

Note:

%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt

It then modifies the host file located in "C:\Windows\System32\drivers\etc\hosts" with the following URL to IP mappings:

• 95.168.163.129 www.vkontakte.ru
• 95.168.163.129 vkontakte.ru
• 95.168.163.129 www.odnoklassniki.ru
• 95.168.163.129 odnoklassniki.ru

This is done to ensure that any attempts to connect to the above legitimate russian social networking sites, will be redirected to the malicious IP address instead.

The trojan then attempt to collect system information and other password related information on the victim's machine. The collected information is then uploaded to a "Cute News" service hosted by the attackers at http://www.newmoon-[Removed].net.

Symptoms

Presence of files and registry entries mentioned earlier.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This description is for a password stealing malware, which attempts to steal user information and post them to a pre defined site.

The characteristics of this password stealer with regards to passwords stolen, sites accessed, files downloaded etc will differ, depending on the way in which the attacker had configured it. Hence, this is a general description.

Aliases

• Trj/CI.A [Panda]

• Trojan-Downloader.Win32.FakeRean [Sunbelt]

• TrojWare.Win32.PSW.LdPinch.Gen [Comodo]

• Win32/TrojanDropper.Agent.OKG [Nod32]

Characteristics

Characteristics -

-- Update November 2, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at: http://blog.threatexpert.com/2009/11/new-moon-trojan.html

--

When executed, this malware displays an erotic image to distract the user, and then drops the following files:

• %Windir%\exploree.exe [Detected as PWS-CuteMoon]
• %Windir%\svcoost.exe [Detected as PWS-CuteMoon]
• %System%\154.bat [Non malicious batch file]

Note:

%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt

It then modifies the host file located in "C:\Windows\System32\drivers\etc\hosts" with the following URL to IP mappings:

• 95.168.163.129 www.vkontakte.ru
• 95.168.163.129 vkontakte.ru
• 95.168.163.129 www.odnoklassniki.ru
• 95.168.163.129 odnoklassniki.ru

This is done to ensure that any attempts to connect to the above legitimate russian social networking sites, will be redirected to the malicious IP address instead.

The trojan then attempt to collect system information and other password related information on the victim's machine. The collected information is then uploaded to a "Cute News" service hosted by the attackers at http://www.newmoon-[Removed].net.

Symptoms

Symptoms -

Presence of files and registry entries mentioned earlier.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A