Phish-Potpor (trojan)

Discussion in 'malware problems & news' started by Marianna, Feb 17, 2004.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Apr 23, 2002
    B.C. Canada
    Trojan Information
    Discovery Date: 02/16/2004
    Origin: Unknown
    Length: 552.960 bytes
    Type: Trojan
    SubType: Phishing

    This is a detection for a new trojan that sends out a huge amount of EMails asking the recipient update his Visa Card contact information including card number, name, expiration date and PIN.

    When executed, the trojan copies itself to %windir% folder using the filename "LPCONFIG.EXE". It creates a registry key so it gets started on system boot:

    CurrentVersion\Run "ipconfig" = c:\winnt\lpconfig.exe

    The emails have these properties:

    From: "VISA" []
    Subject: "VISA Announcement!"
    To: addresses are randomly generated based on a long list of names hardcoded within the trojan.


    Dear Visa card owner,Visa company announces you that after latest events concerning e-commerce Visa decided to introduce a new secure program against fraud attempts. We feel sorry to inform you that there is the possibility to temporary suspend your credit card. You must understand that this measure is for protecting our customers against highly increasing internet fraud using credit cards. Our purpose it to create a safer e-commerce system. To upgrade your credit card according to our new security system you must go to the eminent bank and request an upgrade formular or you can also upgrade your card by following the below instructions.Please click here to register your Visa card. Copyright @ 1995-2004 Visa Inc. All Rights Reserved. Designated trademarks and brands are the property of their respective owners.


    Note:These mails are detected as Phish-Potpor!eml with 4324DATs or higher.

    The trojan contains a list of SMTP servers that it uses to submit the mails:

    When the 'here' link within the mailbody gets clicked, the brower will open a page hosted on a DYNDNS.ORG IP address. At the moment of this writing, only one page is available and has this content:

    Please note, the content of this page may change.
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.