NUEVO TROYANO QUE LLEGA EN E-MAIL Y CREA BACKDOOR CEX

[msc hotline sat]

McAfee nos informa de un nuevo bicho controlado a partir de los DATS 4362 de esta próxima noche:





Descripcion de McAfee:

__________________________________________



Trojan Name Risk Assessment

Multidropper-KN Corporate User : Low

Home User : Low







Trojan Information

Discovery Date: 05/19/2004

Origin: Unknown

Length: 17,520 bytes (Zipped) 25,952 Bytes (UnZipped)

Type: Trojan

SubType: Dropper

Minimum DAT: 4362 (05/19/2004)

Updated DAT: 4362 (05/19/2004)

Minimum Engine: 4.2.40

Description Added: 05/19/2004

Description Modified: 05/19/2004 10:54 AM (PT)

Description Menu

Trojan Characteristics

Symptoms

Method Of Infection

Removal Instructions

Variants / Aliases

Rate This page

Print This Page

Email This Page

Legend







Trojan Characteristics:

This trojan has known to have been spammed out to several email addresses.





Subject of message:



Important news about our soldiers in IRAQ!!!



Message body:



Seven officers was lost today,



follow the link to get the full story.



(Url link pointing to an innocent page showing stats on Iraqi soldiers killed).





Attachment: (Zip attachment)



IMPORTANT INFORMATION.ZIP (17,520 bytes).











Execution



When run, the trojan drops both Backdoor and a Password Stealing components on to the victims computer.



The following files are dropped on to the victims computer:



into the %windir%\system32\ folder:



KERNEL32.WXD - This file holds additional information of the victims computer, such as passwords to certain applications and POP3 accounts.



RASCOM.DLL - DLL used by Backdoor-CEX .



RSV32.EXE - This is the Backdoor component which is automatically executed by the dropper file and detected as Backdoor-CEX trojan with the 4362 DATS and above.



The following Registry key(s) is added so that the Backdoor is executed after a system startup:



HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\NT\CurrentVersion\Winlogon

"Shell" = "explorer.exe %windir%\system32



\rsv32.exe"



\rsv32.exe"



\rsv32.exe"







KEYBRD32.SYS is dropped into the %windir%\system32\ drivers folder - This program is capable of hiding aplications which are usually visible within Task Manager.







The dropper file also attempts to drop a password stealing componet which is detected as PWS-LDPinch with the 4362 DATS and above.





Top of Page



Symptoms

New files dropped on the target machine as mentioned above.

Top of Page



Method Of Infection

This multidropper trojan serves only to drop and execute other files on the target system. It does not self-replicate. Likely distribution channels for this trojan include via IRC, via peer-to-peer file-sharing networks, as an attachment in newsgroup postings or email, etc.





Top of Page



Removal Instructions

All Users :

Use specified engine and DAT files for detection and removal. Delete files which contain this detection.



__________________________________________



saludos



ms, 19-'5-2004