Subscribe0 0
This Trojan runs under Windows. It creates a hidden proxy server (allowing up to 100 connections) and then sends the IP address of the victim machined and cached passwords to its creator. It also downloads additional .exe files from a web site, and updates itself by executing these files on the victim machine.
This Trojan first appeared in infected messages on 16th July 2003.
Infected messages Attachment:web.da.us.citi.heloc.pifwhich when launched downloads and executes the exe file which is the main component of the Trojan. Message header:
Re: Your credit application
Message body:
Dear sir, Thank you for your online application for a Citibank Home Equity Loan. In order to be approved for any loan application we pull your Credit Profile and Chexsystems information, which didn't satisfy our minimum needs. Consequently, we regret to say that we cannot approve you for Citibank Home Equity Loan at this time. *Attached are copy of your Credit Profile and Your Application that you submitted with us. Please take a close look at it, you will receive hard copy by mail withing next few days.Installation On launching the Trojan copies itself to the Windows system directory under a random name and creates an additional .dll component with a random name in the same directory.
It creates the following keys in the system registry to ensure auto-run:
HKCR\CLSID\{79FA9088-19CE-715D-D85A-216290C5B738}
InProcServer32 = %trojan DLL name%
ThreadingModel = Apartment
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Web Event Logger = {79FA9088-19CE-715D-D85A-216290C5B738}
The Trojan contains the following copyright text string:
Webber10
Hot Articles