Discussion in 'malware problems & news' started by Marianna, Feb 18, 2004.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Apr 23, 2002
    B.C. Canada
    Date Discovered: 2/9/2004
    Date Added: 2/17/2004
    Origin: Unknown
    Length: 19,295 bytes
    12,797 bytes
    Type: Trojan

    Virus Characteristics

    This is trojan simply installs other trojans. It was being installed via an Internet Explorer exploit. Unsuspecting users who navigated to a specified website using a vulnerable web browser would become infected.

    At the time of this writing the website in question is no longer responding.

    Upon visiting the infectious web page, the Exploit-MhtRedir trojan would download and access a Microsoft Compiled Help file (CHM.CHM). Within this CHM file exists an HTML document LAUNCH.HTML, which contains the Exploit-CodeBase trojan to run the file MSTASK.EXE, which is the MultiDropper-GP.a trojan .

    Indications of Infection

    Presence of the following files:

    %WinDir%\msto32.dll (3,072 bytes) - KeyHook.dll application
    %WinDir%\svchost.exe (12,288 bytes) - Spy-Tofger trojan
    %WinDir%\Downloaded Program Files\mstasks.exe (25,852 bytes) - MultiDropper-GP.a trojan
    %SysDir%\mstu.exe (6,656 bytes) - ProcKill-BM trojan
    %SysDir%\wingua.exe (4,608 bytes) - MultiDropper-GP.b trojan
    Where %WinDir% is the Windows directory (c:\windows c:\winnt etc) and %SysDir% is the System directory (c:\windows\system32 c:\windows\system etc)

    Method of Infection

    This trojan is installed via an Internet Explorer vulnerability when visiting an infectious website.


    PHP_BIZAI.A (Trend)
Thread Status:
Not open for further replies.