Phish-Potpor (trojan)

Trojan Information
Discovery Date: 02/16/2004
Origin: Unknown
Length: 552.960 bytes
Type: Trojan
SubType: Phishing

This is a detection for a new trojan that sends out a huge amount of EMails asking the recipient update his Visa Card contact information including card number, name, expiration date and PIN.

When executed, the trojan copies itself to %windir% folder using the filename "LPCONFIG.EXE". It creates a registry key so it gets started on system boot:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "ipconfig" = c:\winnt\lpconfig.exe

The emails have these properties:

From: "VISA" [support@visa.com]
Subject: "VISA Announcement!"
To: addresses are randomly generated based on a long list of names hardcoded within the trojan.

Mailbody:

Dear Visa card owner,Visa company announces you that after latest events concerning e-commerce Visa decided to introduce a new secure program against fraud attempts. We feel sorry to inform you that there is the possibility to temporary suspend your credit card. You must understand that this measure is for protecting our customers against highly increasing internet fraud using credit cards. Our purpose it to create a safer e-commerce system. To upgrade your credit card according to our new security system you must go to the eminent bank and request an upgrade formular or you can also upgrade your card by following the below instructions.Please click here to register your Visa card. Copyright @ 1995-2004 Visa Inc. All Rights Reserved. Designated trademarks and brands are the property of their respective owners.

Example:

http://vil.nai.com/images/101028a.jpg

Note:These mails are detected as Phish-Potpor!eml with 4324DATs or higher.

The trojan contains a list of SMTP servers that it uses to submit the mails:

207.69.200.80
207.69.200.93
207.69.200.65
207.69.200.159
207.69.200.133
207.69.200.30
207.69.200.36
207.69.200.31
206.124.29.24
165.212.8.32
205.188.158.121
205.188.159.57
205.188.159.249
64.12.137.89
64.12.137.184
64.12.138.57
64.12.138.152
205.188.156.185
64.12.137.184
64.12.138.89
64.12.138.120
205.188.156.185
205.188.158.121
205.188.159.57
64.12.137.89
194.112.50.61
195.157.7.77
194.112.50.11
207.217.125.16
207.217.125.17
207.217.125.18
207.217.125.19
207.217.125.20
207.217.125.21
207.217.125.22
207.217.125.23
207.217.125.24
66.98.161.198
66.98.208.65
66.98.160.58
207.115.63.115
207.115.63.70
195.166.137.25
62.69.90.12
217.28.130.35
80.189.92.100
80.189.94.100
195.72.113.42
145.253.32.2
194.73.73.118
194.73.73.117
192.168.10.130
192.168.10.135
62.253.164.70
195.130.225.26
207.69.200.31
207.69.200.82
207.69.200.17
207.69.200.154
207.69.200.106
194.42.224.145
194.42.224.148
212.74.114.54
212.74.114.26
212.74.114.7
213.189.95.71
213.189.95.71
149.174.40.55
149.174.40.183
149.174.211.5
149.174.213.5



When the 'here' link within the mailbody gets clicked, the brower will open a page hosted on a DYNDNS.ORG IP address. At the moment of this writing, only one page is available and has this content:

http://vil.nai.com/images/101028b.jpg

Please note, the content of this page may change.

http://vil.nai.com/vil/content/v_101028.htm