Phish-Potpor (trojan)

Discussion in 'malware problems & news' started by Marianna, Feb 17, 2004.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Trojan Information
    Discovery Date: 02/16/2004
    Origin: Unknown
    Length: 552.960 bytes
    Type: Trojan
    SubType: Phishing

    This is a detection for a new trojan that sends out a huge amount of EMails asking the recipient update his Visa Card contact information including card number, name, expiration date and PIN.

    When executed, the trojan copies itself to %windir% folder using the filename "LPCONFIG.EXE". It creates a registry key so it gets started on system boot:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "ipconfig" = c:\winnt\lpconfig.exe

    The emails have these properties:

    From: "VISA" [support@visa.com]
    Subject: "VISA Announcement!"
    To: addresses are randomly generated based on a long list of names hardcoded within the trojan.

    Mailbody:

    Dear Visa card owner,Visa company announces you that after latest events concerning e-commerce Visa decided to introduce a new secure program against fraud attempts. We feel sorry to inform you that there is the possibility to temporary suspend your credit card. You must understand that this measure is for protecting our customers against highly increasing internet fraud using credit cards. Our purpose it to create a safer e-commerce system. To upgrade your credit card according to our new security system you must go to the eminent bank and request an upgrade formular or you can also upgrade your card by following the below instructions.Please click here to register your Visa card. Copyright @ 1995-2004 Visa Inc. All Rights Reserved. Designated trademarks and brands are the property of their respective owners.

    Example:

    http://vil.nai.com/images/101028a.jpg

    Note:These mails are detected as Phish-Potpor!eml with 4324DATs or higher.

    The trojan contains a list of SMTP servers that it uses to submit the mails:

    207.69.200.80
    207.69.200.93
    207.69.200.65
    207.69.200.159
    207.69.200.133
    207.69.200.30
    207.69.200.36
    207.69.200.31
    206.124.29.24
    165.212.8.32
    205.188.158.121
    205.188.159.57
    205.188.159.249
    64.12.137.89
    64.12.137.184
    64.12.138.57
    64.12.138.152
    205.188.156.185
    64.12.137.184
    64.12.138.89
    64.12.138.120
    205.188.156.185
    205.188.158.121
    205.188.159.57
    64.12.137.89
    194.112.50.61
    195.157.7.77
    194.112.50.11
    207.217.125.16
    207.217.125.17
    207.217.125.18
    207.217.125.19
    207.217.125.20
    207.217.125.21
    207.217.125.22
    207.217.125.23
    207.217.125.24
    66.98.161.198
    66.98.208.65
    66.98.160.58
    207.115.63.115
    207.115.63.70
    195.166.137.25
    62.69.90.12
    217.28.130.35
    80.189.92.100
    80.189.94.100
    195.72.113.42
    145.253.32.2
    194.73.73.118
    194.73.73.117
    192.168.10.130
    192.168.10.135
    62.253.164.70
    195.130.225.26
    207.69.200.31
    207.69.200.82
    207.69.200.17
    207.69.200.154
    207.69.200.106
    194.42.224.145
    194.42.224.148
    212.74.114.54
    212.74.114.26
    212.74.114.7
    213.189.95.71
    213.189.95.71
    149.174.40.55
    149.174.40.183
    149.174.211.5
    149.174.213.5



    When the 'here' link within the mailbody gets clicked, the brower will open a page hosted on a DYNDNS.ORG IP address. At the moment of this writing, only one page is available and has this content:

    http://vil.nai.com/images/101028b.jpg

    Please note, the content of this page may change.

    http://vil.nai.com/vil/content/v_101028.htm
     
Loading...
Thread Status:
Not open for further replies.