W32.Alerta.Trojan

[javacool]

Discovered on Feb. 27th, 2002.

Norton's information page: http://securityresponse.symantec.com...ta.trojan.html

[javacool]

From the bulletin:

Quote:

W32.Alerta.Trojan
Discovered on: February 27, 2002
Last Updated on: February 28, 2002 at 07:03:05 PM PST

W32.Alerta.Trojan is a Trojan that displays messages in Spanish. The messages have a pink background that covers the entire Windows desktop.

Type: Trojan Horse
Infection Length: 113,664 bytes

Virus Definitions (Intelligent Updater): February 28, 2002
Virus Definitions (LiveUpdateTM): March 6, 2002

Damage:

Payload:
Modifies files: Registry and Win.ini

Technical description:

When W32.Alerta.Trojan is executed it does the following:


1. It copies itself as \Windows\Alerta.exe.
2. Next, it adds the value

Shellh32 * * * *C:\windows\alerta.exe

to the registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that it runs when you start Windows.

3. Then the Trojan creates these files:
\Windows\SPFC.bmp. Its size is about 1407 KB. It is a bitmap that the Trojan uses to set the background of the Windows desktop.
\Windows\Shellh32.dll. Its size is about 11 bytes. It is a text file that contains dots (....).

4. Next, it modifies Win.ini by changing the following line in the [Desktop] section:

Wallpaper=C:\Windows\SPFC.bmp

5. Next, the Trojan displays the graphical message

Alerta

on a flashing red background.

Spanish messages are then displayed over a pink background that covers the Windows desktop.

6. Finally, the Trojan locks the keyboard and moves the cursor from left to right.