javacool
March 1st, 2002, 05:01 PM
Discovered on Feb. 27th, 2002.
Norton's information page: http://securityresponse.symantec.com/avcenter/venc/data/w32.alerta.trojan.html
javacool
March 1st, 2002, 05:04 PM
From the bulletin:
{QUOTE->
W32.Alerta.Trojan
Discovered on: February 27, 2002
Last Updated on: February 28, 2002 at 07:03:05 PM PST
W32.Alerta.Trojan is a Trojan that displays messages in Spanish. The messages have a pink background that covers the entire Windows desktop.
Type: Trojan Horse
Infection Length: 113,664 bytes
Virus Definitions (Intelligent Updater): February 28, 2002
Virus Definitions (LiveUpdateTM): March 6, 2002
Damage:
Payload:
Modifies files: Registry and Win.ini
Technical description:
When W32.Alerta.Trojan is executed it does the following:
1. It copies itself as \Windows\Alerta.exe.
2. Next, it adds the value
Shellh32 * * * *C:\windows\alerta.exe
to the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that it runs when you start Windows.
3. Then the Trojan creates these files:
\Windows\SPFC.bmp. Its size is about 1407 KB. It is a bitmap that the Trojan uses to set the background of the Windows desktop.
\Windows\Shellh32.dll. Its size is about 11 bytes. It is a text file that contains dots (....).
4. Next, it modifies Win.ini by changing the following line in the [Desktop] section:
Wallpaper=C:\Windows\SPFC.bmp
5. Next, the Trojan displays the graphical message
Alerta
on a flashing red background.
Spanish messages are then displayed over a pink background that covers the Windows desktop.
6. Finally, the Trojan locks the keyboard and moves the cursor from left to right.
<-QUOTE}
vBulletin® Copyright ©2000-2008, Jelsoft Enterprises Ltd.