NIPC CyberNotes #2002-12 Page 33 of 33 06/17/2002
Troj/DSS-A: This is a Trojan that drops the file, INDEX.HTM, into the Windows Temp folder. The Trojan
then opens this file in a hidden browser window. INDEX.HTM contains an HTML script which attempts to
connect to a web site about twenty minutes after opening. The web site contains an advertisement for a
web site with pornographic content and may attempt to drop a dialler program onto the user's computer.
The behavior of Troj/DSS-A may be altered dynamically by changing the contents of the web page to
which it connects. The Trojan file is likely to arrive in an e-mail as an attachment called OPENME.EXE.
TROJ_WORTRON.10B (Alias: Trojan.PSW.Wortron.10.b): This Trojan and Worm Generator can run
on any Windows platform. On its own, it does not have a destructive payload or routine. However, its
generated Trojans and worms may be destructive, depending on the configurations that the malicious user
using this Trojan, does on the generated malware.
Trojan.PSW.CrazyBilets: This program belongs to the family of passwords stealing Trojans. On June 2, a
site with the descriptive name Graduates of 2002, was exposed operating in the public access home pages
of Narod.ru. The anonymous author offered visitors the chance to download a file containing the actual
exams for literature and mathematics. When the file is downloaded, what actually happens is the file copies
a list with essays, allegedly the compositions sought by the students and of course with it came the Trojan
program named CrazyBilets. The web page contained the following:
● Intermediate Examinations
● Test papers for mathematics and topics for compositions. Still FREE!
The file residing on the web page is a Trojan installer. When run, it drops a Trojan program into the
Windows directory, then extracts and creates fake examination topics (in Russian). The Trojan itself is a
Windows PE EXE file about 27Kb in length (compressed by UPX, the decompressed size is about 83Kb)
and written in Delphi. When executed, the Trojan copies itself to the Windows directory under the
SYSTEM.EX name and registers this file in system registry auto-run key:
● HKLM\Software\Microsoft\Windows\CurrentVersion\Run System =
%WindowsDir%\System.exe
The main function for the CrazyBilets Trojan are collecting cached Windows passwords on victim
machines and sending this information to its "master" by direct connection to an SMTP server.
(51 paginas)
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comentarios a estos manuales