Trojan-PSW.Win32.CrazyBilets

Class Trojan-PSW
Platform Win32
Description

Technical Details

This program belongs to the family of passwords stealing trojans. It was spread from a public access Web page on the narod.ru server in the beginning on June 2002.

The web page contained the following:

 Intermediate Examinations
 Test papers for mathematics and topics for compositions. Still FREE!

The file residing on the web page is a Trojan installer. When run it drops a Trojan program into the Windows directory, then extracts and createes fake examination topics (in Russian).

The Trojan itself is a Windows PE EXE file about 27Kb in length (compressed by
UPX, the decompressed size is about 83Kb) and written in Delphi.

When executed the Trojan copies itself to the Windows directory under the SYSTEM.EX name and registers this file in system registry auto-run key:

 HKLMSoftwareMicrosoftWindowsCurrentVersionRun
   System = %WindowsDir%System.exe

The main function for the CrazyBilets Trojan are collecting cached Windows passwords on victim machines and sending this information to its “master” by direct connection to an SMTP server.