McAfee > Theat Center > Virus Detail Page

Overview

-- Update November 20, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://blog.washingtonpost.com/securityfix/2007/11/a_fresh_round_of_targeted_emai.html?nav=rss_blog

This detection is for a trojan which attempts to steal information from a user's system.  It gathers keyboard strokes and other system-specific information.

Characteristics

-- Update November 20, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://blog.washingtonpost.com/securityfix/2007/11/a_fresh_round_of_targeted_emai.html?nav=rss_blog

We have seen spam mails with spoofed email address from US Department of Justice like the following with the attached malware targeted at specific people.

When complaint.scr file is run, it drops the following files into the DRIVERS directory:

• %WINDOWS%\system32\drivers\svchost.exe (Keylog-LMtry)
• %WINDOWS%\system32\drivers\kbd.dll (Keylog-LMtry)
• %WINDOWS%\system32\drivers\test.dll (Keylog-LMtry)

Hooks itself to the system startup by adding the following registry key:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  "service" = "%WINDOWS%\system32\drivers\svchost.exe"

test.dll injects itself into the Explorer and Internet Explorer process. The trojan is found to communicate with the following websites.

• http://dc.dip.jp/[blocked]/
• http://furystrikesback.com/[blocked]/

The sniffed Internet explorer passwords are uploaded to a remote server. The victim machine also posts network information like internal and the external ip addresses to the remote machine.

Note: As the website being communicated is normally controlled by the malware author, any files being downloaded can be remotely modified and the behaviour of these new binaries altered - possibly with every user infection.

Symptoms

The infected system polls the remote php scripts occasionally to indicate its availability:

• http://dc.dip.jp/[blocked]/setStatus.php
• http://furystrikesback.com/[blocked]/setStatus.php

Method of Infection

Many of these mails are spammed by the author to entice people into opening them.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

-- Update November 20, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://blog.washingtonpost.com/securityfix/2007/11/a_fresh_round_of_targeted_emai.html?nav=rss_blog

This detection is for a trojan which attempts to steal information from a user's system.  It gathers keyboard strokes and other system-specific information.

Characteristics

Characteristics -

-- Update November 20, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://blog.washingtonpost.com/securityfix/2007/11/a_fresh_round_of_targeted_emai.html?nav=rss_blog

We have seen spam mails with spoofed email address from US Department of Justice like the following with the attached malware targeted at specific people.

When complaint.scr file is run, it drops the following files into the DRIVERS directory:

• %WINDOWS%\system32\drivers\svchost.exe (Keylog-LMtry)
• %WINDOWS%\system32\drivers\kbd.dll (Keylog-LMtry)
• %WINDOWS%\system32\drivers\test.dll (Keylog-LMtry)

Hooks itself to the system startup by adding the following registry key:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  "service" = "%WINDOWS%\system32\drivers\svchost.exe"

test.dll injects itself into the Explorer and Internet Explorer process. The trojan is found to communicate with the following websites.

• http://dc.dip.jp/[blocked]/
• http://furystrikesback.com/[blocked]/

The sniffed Internet explorer passwords are uploaded to a remote server. The victim machine also posts network information like internal and the external ip addresses to the remote machine.

Note: As the website being communicated is normally controlled by the malware author, any files being downloaded can be remotely modified and the behaviour of these new binaries altered - possibly with every user infection.

Symptoms

Symptoms -

The infected system polls the remote php scripts occasionally to indicate its availability:

• http://dc.dip.jp/[blocked]/setStatus.php
• http://furystrikesback.com/[blocked]/setStatus.php

Method of Infection

Method of Infection -

Many of these mails are spammed by the author to entice people into opening them.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A