McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

-- Update March 25, 2006 --
The handler on duty for SANS mentioned in Today's Diary a new variant. We have confirmed that this is a new sample. The trojan contains encrypted data beyond the end of the last PE section. This data includes FTP information used by the trojan. The latest sample uses the server 200.182.57.13. It's possible that this trojan is self-sustaining in the sense that it is capable of using the usernames/passwords harvested from a web admin's system for the purpose of hosting malware on the server that the trojan author has gained access to.

The original PWS-PartyPooper detection also covers this new sample.
--

This trojan was discovered in connection with the Downloader-AVK trojan , which was installed via the Exploit-CreateTxtRng trojan .

This password stealing trojan scans your system for stored passwords and monitors the websites that you visit for the purpose of sending all this information to the trojan author/distributor.

When run, the trojan installs itself within the WINDOWS (%WinDir%) directory:

• %WinDir%\fyt\mn32.dll
• %WinDir%\fyt\nm32.exe

A registry run key is created to load the .EXE file at startup:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "ujm" = C:\WINDOWS\fyt\nm32.exe

The DLL file is a Browser Helper Object and is registered with the system as follows:

• HKEY_CLASSES_ROOT\AppID\{85B17391-3706-4454-B73F-38D6E74B0480}
• HKEY_CLASSES_ROOT\AppID\FG.DLL
• HKEY_CLASSES_ROOT\CLSID\{B4B1D862-DD79-47E6-B29B-2AD5A9A5D885}
• HKEY_CLASSES_ROOT\CLSID\{FBFD2ED1-14EA-4D3A-B88E-DADF7C058766}
• HKEY_CLASSES_ROOT\FG.FGHelper
• HKEY_CLASSES_ROOT\FG.FGHelper.1
• HKEY_CLASSES_ROOT\FG.SubHelper
• HKEY_CLASSES_ROOT\FG.SubHelper.1

This DLL relays browser information to the main executable, including form information and typed keystrokes.

Various system information and password are stored in the following files:

• %WinDir%\fyt\~ipcfg636
• %WinDir%\fyt\~res636
• %WinDir%\fyt\~start636
• %WinDir%\fyt\~tmp636
• %WinDir%\fyt\~view636
• %WinDir%\fyt\req.txt
• %WinDir%\fyt\sub.txt

The information harvested includes the following:

• POP3 Server/Email Address/Username/Password
• Local user and system account information (SID)
• ipconfig output
• netstat output
• netview output

The trojan attempts to upload harvested information to an FTP server (66.242.129.251).

The trojan contains its own SMTP engine to email information to an address via mail.ru.

Symptoms

The trojan attempts to terminate the following processes:

• \ZONEALARM.EXE
• \WFINDV32.EXE
• \WEBSCANX.EXE
• \VSSTAT.EXE
• \VSHWIN32.EXE
• \VSECOMR.EXE
• \VSCAN40.EXE
• \VETTRAY.EXE
• \VET95.EXE
• \TDS2-NT.EXE
• \TDS2-98.EXE
• \TCA.EXE
• \TBSCAN.EXE
• \SWEEP95.EXE
• \SPHINX.EXE
• \SMC.EXE
• \SERV95.EXE
• \SCRSCAN.EXE
• \SCANPM.EXE
• \SCAN95.EXE
• \SCAN32.EXE
• \SAFEWEB.EXE
• \RESCUE.EXE
• \RAV7WIN.EXE
• \RAV7.EXE
• \PERSFW.EXE
• \PCFWALLICON.EXE
• \PCCWIN98.EXE
• \PAVW.EXE
• \PAVSCHED.EXE
• \PAVCL.EXE
• \PADMIN.EXE
• \OUTPOST.EXE
• \NVC95.EXE
• \NUPGRADE.EXE
• \NORMIST.EXE
• \NMAIN.EXE
• \NISUM.EXE
• \NAVWNT.EXE
• \NAVW32.EXE
• \NAVNT.EXE
• \NAVLU32.EXE
• \NAVAPW32.EXE
• \N32SCANW.EXE
• \MPFTRAY.EXE
• \MOOLIVE.EXE
• \LUALL.EXE
• \LOOKOUT.EXE
• \LOCKDOWN2000.EXE
• \JEDI.EXE
• \IOMON98.EXE
• \IFACE.EXE
• \ICSUPPNT.EXE
• \ICSUPP95.EXE
• \ICMON.EXE
• \ICLOADNT.EXE
• \ICLOAD95.EXE
• \IBMAVSP.EXE
• \IBMASN.EXE
• \IAMSERV.EXE
• \IAMAPP.EXE
• \F-STOPW.EXE
• \FRW.EXE
• \FP-WIN.EXE
• \F-PROT95.EXE
• \F-PROT.EXE
• \FPROT.EXE
• \FINDVIRU.EXE
• \F-AGNT95.EXE
• \ESPWATCH.EXE
• \ESAFE.EXE
• \ECENGINE.EXE
• \DVP95_0.EXE
• \DVP95.EXE
• \CLEANER3.EXE
• \CLEANER.EXE
• \CLAW95CF.EXE
• \CLAW95.EXE
• \CFINET32.EXE
• \CFINET.EXE
• \CFIAUDIT.EXE
• \CFIADMIN.EXE
• \BLACKICE.EXE
• \BLACKD.EXE
• \AVWUPD32.EXE
• \AVWIN95.EXE
• \AVSCHED32.EXE
• \AVPUPD.EXE
• \AVPTC32.EXE
• \AVPM.EXE
• \AVPDOS32.EXE
• \AVPCC.EXE
• \AVP32.EXE
• \AVP.EXE
• \AVNT.EXE
• \AVKSERV.EXE
• \AVGCTRL.EXE
• \AVE32.EXE
• \AVCONSOL.EXE
• \AUTODOWN.EXE
• \APVXDWIN.EXE
• \ANTI-TROJAN.EXE
• \ACKWIN32.EXE
• \_AVPM.EXE
• \_AVPCC.EXE
• \_AVP32.EXE

Method of Infection

This trojan by a downloader trojan, that may be installed by exploiting a Microsoft Internet Explorer vulnerability, see: Exploit-CreateTxtRng

Removal

Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

-- Update March 25, 2006 --
The handler on duty for SANS mentioned in Today's Diary a new variant. We have confirmed that this is a new sample. The trojan contains encrypted data beyond the end of the last PE section. This data includes FTP information used by the trojan. The latest sample uses the server 200.182.57.13. It's possible that this trojan is self-sustaining in the sense that it is capable of using the usernames/passwords harvested from a web admin's system for the purpose of hosting malware on the server that the trojan author has gained access to.

The original PWS-PartyPooper detection also covers this new sample.
--

This trojan was discovered in connection with the Downloader-AVK trojan , which was installed via the Exploit-CreateTxtRng trojan .

This password stealing trojan scans your system for stored passwords and monitors the websites that you visit for the purpose of sending all this information to the trojan author/distributor.

When run, the trojan installs itself within the WINDOWS (%WinDir%) directory:

• %WinDir%\fyt\mn32.dll
• %WinDir%\fyt\nm32.exe

A registry run key is created to load the .EXE file at startup:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "ujm" = C:\WINDOWS\fyt\nm32.exe

The DLL file is a Browser Helper Object and is registered with the system as follows:

• HKEY_CLASSES_ROOT\AppID\{85B17391-3706-4454-B73F-38D6E74B0480}
• HKEY_CLASSES_ROOT\AppID\FG.DLL
• HKEY_CLASSES_ROOT\CLSID\{B4B1D862-DD79-47E6-B29B-2AD5A9A5D885}
• HKEY_CLASSES_ROOT\CLSID\{FBFD2ED1-14EA-4D3A-B88E-DADF7C058766}
• HKEY_CLASSES_ROOT\FG.FGHelper
• HKEY_CLASSES_ROOT\FG.FGHelper.1
• HKEY_CLASSES_ROOT\FG.SubHelper
• HKEY_CLASSES_ROOT\FG.SubHelper.1

This DLL relays browser information to the main executable, including form information and typed keystrokes.

Various system information and password are stored in the following files:

• %WinDir%\fyt\~ipcfg636
• %WinDir%\fyt\~res636
• %WinDir%\fyt\~start636
• %WinDir%\fyt\~tmp636
• %WinDir%\fyt\~view636
• %WinDir%\fyt\req.txt
• %WinDir%\fyt\sub.txt

The information harvested includes the following:

• POP3 Server/Email Address/Username/Password
• Local user and system account information (SID)
• ipconfig output
• netstat output
• netview output

The trojan attempts to upload harvested information to an FTP server (66.242.129.251).

The trojan contains its own SMTP engine to email information to an address via mail.ru.

Symptoms

Symptoms -

The trojan attempts to terminate the following processes:

• \ZONEALARM.EXE
• \WFINDV32.EXE
• \WEBSCANX.EXE
• \VSSTAT.EXE
• \VSHWIN32.EXE
• \VSECOMR.EXE
• \VSCAN40.EXE
• \VETTRAY.EXE
• \VET95.EXE
• \TDS2-NT.EXE
• \TDS2-98.EXE
• \TCA.EXE
• \TBSCAN.EXE
• \SWEEP95.EXE
• \SPHINX.EXE
• \SMC.EXE
• \SERV95.EXE
• \SCRSCAN.EXE
• \SCANPM.EXE
• \SCAN95.EXE
• \SCAN32.EXE
• \SAFEWEB.EXE
• \RESCUE.EXE
• \RAV7WIN.EXE
• \RAV7.EXE
• \PERSFW.EXE
• \PCFWALLICON.EXE
• \PCCWIN98.EXE
• \PAVW.EXE
• \PAVSCHED.EXE
• \PAVCL.EXE
• \PADMIN.EXE
• \OUTPOST.EXE
• \NVC95.EXE
• \NUPGRADE.EXE
• \NORMIST.EXE
• \NMAIN.EXE
• \NISUM.EXE
• \NAVWNT.EXE
• \NAVW32.EXE
• \NAVNT.EXE
• \NAVLU32.EXE
• \NAVAPW32.EXE
• \N32SCANW.EXE
• \MPFTRAY.EXE
• \MOOLIVE.EXE
• \LUALL.EXE
• \LOOKOUT.EXE
• \LOCKDOWN2000.EXE
• \JEDI.EXE
• \IOMON98.EXE
• \IFACE.EXE
• \ICSUPPNT.EXE
• \ICSUPP95.EXE
• \ICMON.EXE
• \ICLOADNT.EXE
• \ICLOAD95.EXE
• \IBMAVSP.EXE
• \IBMASN.EXE
• \IAMSERV.EXE
• \IAMAPP.EXE
• \F-STOPW.EXE
• \FRW.EXE
• \FP-WIN.EXE
• \F-PROT95.EXE
• \F-PROT.EXE
• \FPROT.EXE
• \FINDVIRU.EXE
• \F-AGNT95.EXE
• \ESPWATCH.EXE
• \ESAFE.EXE
• \ECENGINE.EXE
• \DVP95_0.EXE
• \DVP95.EXE
• \CLEANER3.EXE
• \CLEANER.EXE
• \CLAW95CF.EXE
• \CLAW95.EXE
• \CFINET32.EXE
• \CFINET.EXE
• \CFIAUDIT.EXE
• \CFIADMIN.EXE
• \BLACKICE.EXE
• \BLACKD.EXE
• \AVWUPD32.EXE
• \AVWIN95.EXE
• \AVSCHED32.EXE
• \AVPUPD.EXE
• \AVPTC32.EXE
• \AVPM.EXE
• \AVPDOS32.EXE
• \AVPCC.EXE
• \AVP32.EXE
• \AVP.EXE
• \AVNT.EXE
• \AVKSERV.EXE
• \AVGCTRL.EXE
• \AVE32.EXE
• \AVCONSOL.EXE
• \AUTODOWN.EXE
• \APVXDWIN.EXE
• \ANTI-TROJAN.EXE
• \ACKWIN32.EXE
• \_AVPM.EXE
• \_AVPCC.EXE
• \_AVP32.EXE

Method of Infection

Method of Infection -

This trojan by a downloader trojan, that may be installed by exploiting a Microsoft Internet Explorer vulnerability, see: Exploit-CreateTxtRng

Removal -

Removal -

Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A