McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• BackDoor.Lala

• Mine.279040

• Zasil.279040

Characteristics

-- Update 10th Jan 2003 --

A new variant of this trojan (file length: 283,648 bytes, tElock packed) is downloaded by the W32/Sobig@MM worm. Detection of this variant requires the 4242 DATs.

--

This trojan appears to be related to Downloader-BN. However, at a specific date/time this trojan opens port 1180 on the victim machine enabling the hacker to remotely access the machine.

The trojan contains password stealing keylogger code. This trojan connects to a geocities.com user's site to retrieve a URL. It then navigates to that URL, passing the following information:

• IP address
• Drive letters and type
• Windows version
• Machine name
• Username

The trojan queries several registry keys to report on the installation status of several programs:

• WebMonkey
• PGP
• BestCrypt
• WinMX
• Return to Castle Wolfenstein
• Soldier of Fortune II

The content of the web page accessed is saved to the file NBVLK32.NDR in the WINDOWS SYSTEM (%SysDir%) directory. A copy of the trojan is saved to the %SysDir% directory as MPTASK.EXE and a registry run key is created:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "MPtask Services" = C:\WINDOWS\SYSTEM\mptask.exe

A keylogger dll is dropped in the %SysDir% directory as well: NBRBK32.DLL. The trojan attempts to steal cookies associated with PayPal, iFriend, E-Bullion, EZCardin, Chase, Evocash, Gold, Account Access, Nettler, WebMoney, eBay, and banks. It monitors typed keystrokes.

The trojan periodically connects to the author's site to retrieve commands and the date and time. At a specified date/time, the trojan opens TCP port 1180 and sends notification the geocities.com user page, including the IP address and password needed to access the infected system.

The trojan is dropped by a file that was posted to a newsgroup. The dropper extracts a JPG file to the %Temp% folder and opens it. This image is of pornographic nature.

Symptoms

Presence of the file MPTASK.EXE in the Windows System directory with an icon typically associated with the Microsoft Synchronization Manager:

Method of Infection

This trojan connects to a remote website to retrieve "further instructions".

Removal

All Windows Users:
Use current engine and DAT files for detection and removal.

Manual Removal Instructions

Delete the registry key(s) as mentioned above
Information on deleting registry keys

Restart the computer

Delete the files mentioned above

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• BackDoor.Lala

• Mine.279040

• Zasil.279040

Characteristics

Characteristics -

-- Update 10th Jan 2003 --

A new variant of this trojan (file length: 283,648 bytes, tElock packed) is downloaded by the W32/Sobig@MM worm. Detection of this variant requires the 4242 DATs.

--

This trojan appears to be related to Downloader-BN. However, at a specific date/time this trojan opens port 1180 on the victim machine enabling the hacker to remotely access the machine.

The trojan contains password stealing keylogger code. This trojan connects to a geocities.com user's site to retrieve a URL. It then navigates to that URL, passing the following information:

• IP address
• Drive letters and type
• Windows version
• Machine name
• Username

The trojan queries several registry keys to report on the installation status of several programs:

• WebMonkey
• PGP
• BestCrypt
• WinMX
• Return to Castle Wolfenstein
• Soldier of Fortune II

The content of the web page accessed is saved to the file NBVLK32.NDR in the WINDOWS SYSTEM (%SysDir%) directory. A copy of the trojan is saved to the %SysDir% directory as MPTASK.EXE and a registry run key is created:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "MPtask Services" = C:\WINDOWS\SYSTEM\mptask.exe

A keylogger dll is dropped in the %SysDir% directory as well: NBRBK32.DLL. The trojan attempts to steal cookies associated with PayPal, iFriend, E-Bullion, EZCardin, Chase, Evocash, Gold, Account Access, Nettler, WebMoney, eBay, and banks. It monitors typed keystrokes.

The trojan periodically connects to the author's site to retrieve commands and the date and time. At a specified date/time, the trojan opens TCP port 1180 and sends notification the geocities.com user page, including the IP address and password needed to access the infected system.

The trojan is dropped by a file that was posted to a newsgroup. The dropper extracts a JPG file to the %Temp% folder and opens it. This image is of pornographic nature.

Symptoms

Symptoms -

Presence of the file MPTASK.EXE in the Windows System directory with an icon typically associated with the Microsoft Synchronization Manager:

Method of Infection

Method of Infection -

This trojan connects to a remote website to retrieve "further instructions".

Removal -

Removal -

All Windows Users:
Use current engine and DAT files for detection and removal.

Manual Removal Instructions

Delete the registry key(s) as mentioned above
Information on deleting registry keys

Restart the computer

Delete the files mentioned above

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A