McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• DUNpws.av

• Trojan.PSW.Hooker.a

Characteristics

W32/Badtrans@MM drops the file HKSDLL.DLL (a keylogger) which is also detected as Pws-av

This is a dial-up network password stealer which may arrive from a spoofed email address (info@ostrosoft.com) offering to be a utility. The email message itself is in Russian and may appear as the following:

-----------begin copy of email-----------

From: Ksusha 
To:  
Subject: Привет! 
Date: Wed, 31 May 2000 09:10:15 +0400 


Внимание!!  
Специально для тех, кто не хочет платить за интернет!!!

Этот небольшой сканнер, позволяет вам вычислить 
открытые порты на чужих компьюторах. Работает он очень 
быстро и просто!
Вписываешь IP адрес, порт и поехали. Все очень просто!
В архиве есть текстовик с портами и их описанием.
Если архив окажется испорченым, то берите этот сканнер 
тут: http://www.ostrosoft.com/download/full/domscn.exe

Удачи Вам!!!

Below is a translation of this email into English.

-----------begin copy of translation-----
From: Ksusha [info@ostrosoft.com]
Subject: Hello

Attention!!
Especially for those who don't want to pay for Internet!!!
This small scanner allows you to find open ports on somebody's computers. It works very fast and simple!
Just enter IP address, port and start it. Everything is very simple!
Attached archive contains text file with list of ports with descriptions. If attachement is corrupted, you can get the file here:
http://www.ostrosoft.com/download/full/domscn.exe

Good luck!!!
-----------end copy of translation-----

The attachment is really a network password stealer, the filename may be named "domscan.exe" however it is really a self-extractive archive file with another file inside named "SYSMC32.EXE".

Due to this archiving, scanning of this attachment requires scanning for archive type files in order to detect this trojan.

Ostrosoft is a small Russian software company. Ostrosoft has published a message on their website also asking users to delete this email message as it is not legitimate. See this link for their posted information.

The file appears to be an old version of a legitimate file which has been trojanized. The original file was indeed an IP port scanner named "DomScan".

Symptoms

When run, this trojan copies itself to the WINDOWS SYSTEM directory and adds the following registry key value to load at startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\Hooker - the intelligent keylogger=%SystemDir%\HOOKER.EXE
(Filename may vary)

Method of Infection

Once running, this trojan attempts to connect to various mail server to send password information to its author.

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• DUNpws.av

• Trojan.PSW.Hooker.a

Characteristics

Characteristics -

W32/Badtrans@MM drops the file HKSDLL.DLL (a keylogger) which is also detected as Pws-av

This is a dial-up network password stealer which may arrive from a spoofed email address (info@ostrosoft.com) offering to be a utility. The email message itself is in Russian and may appear as the following:

-----------begin copy of email-----------

From: Ksusha 
To:  
Subject: Привет! 
Date: Wed, 31 May 2000 09:10:15 +0400 


Внимание!!  
Специально для тех, кто не хочет платить за интернет!!!

Этот небольшой сканнер, позволяет вам вычислить 
открытые порты на чужих компьюторах. Работает он очень 
быстро и просто!
Вписываешь IP адрес, порт и поехали. Все очень просто!
В архиве есть текстовик с портами и их описанием.
Если архив окажется испорченым, то берите этот сканнер 
тут: http://www.ostrosoft.com/download/full/domscn.exe

Удачи Вам!!!

Below is a translation of this email into English.

-----------begin copy of translation-----
From: Ksusha [info@ostrosoft.com]
Subject: Hello

Attention!!
Especially for those who don't want to pay for Internet!!!
This small scanner allows you to find open ports on somebody's computers. It works very fast and simple!
Just enter IP address, port and start it. Everything is very simple!
Attached archive contains text file with list of ports with descriptions. If attachement is corrupted, you can get the file here:
http://www.ostrosoft.com/download/full/domscn.exe

Good luck!!!
-----------end copy of translation-----

The attachment is really a network password stealer, the filename may be named "domscan.exe" however it is really a self-extractive archive file with another file inside named "SYSMC32.EXE".

Due to this archiving, scanning of this attachment requires scanning for archive type files in order to detect this trojan.

Ostrosoft is a small Russian software company. Ostrosoft has published a message on their website also asking users to delete this email message as it is not legitimate. See this link for their posted information.

The file appears to be an old version of a legitimate file which has been trojanized. The original file was indeed an IP port scanner named "DomScan".

Symptoms

Symptoms -

When run, this trojan copies itself to the WINDOWS SYSTEM directory and adds the following registry key value to load at startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\Hooker - the intelligent keylogger=%SystemDir%\HOOKER.EXE
(Filename may vary)

Method of Infection

Method of Infection -

Once running, this trojan attempts to connect to various mail server to send password information to its author.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

Variants -

N/A