Momma-B Trojan

Discussion in 'malware problems & news' started by Paul Wilders, May 21, 2002.

Thread Status:
Not open for further replies.
  1. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Name: Troj/Momma-B
    Type: Trojan
    Date: 21 May 2002

    At the time of writing Sophos has received no reports from users affected by this Trojan. However, we have issued this advisory following enquiries to our support department from customers.

    Description:

    Troj/Momma-B is a backdoor Trojan and denial-of service attack tool. It allows a remote user access to the machine via IRC channels and allows them to carry out denial-of-service attacks on the local network.

    Troj/Momma-B creates a hidden folder named \INF\internet\ in the Windows folder. It then installs the files command.exe, D3dxfo.dll, icmpfilter.dll, inf.exe, mirc.ini, remote.ini, Rvspsp.dll and vbejat32.dll along with the legitimate files mswinsck.ocx and wsminsck.ocx. It also creates the registry entry

    HKLM\Software\Microsoft\Windows\
    CurrentVersion\Run\InternetExplorer =<Windows folder>\INF\internet\inf.exe

    so that the Trojan is run automatically each time Windows is started.

    When the Trojan runs it tries to connect to an IRC server and join a specific channel. It then runs in the background as a server process, listening on the IRC channel for commands from an attacker. When it receives a command it will perform the specified action, such as executing a malicious IRC script.

    Troj/Momma-B uses its own IRC client program so it can work on computers that do not have other IRC client software installed.

    Read the analysis at

    www.sophos.com/virusinfo/analyses/trojmommab.html
     
Loading...
Thread Status:
Not open for further replies.