Parent class: TrojWare
Trojans are malicious programs that perform actions which are not authorized by the user: they delete, block, modify or copy data, and they disrupt the performance of computers or computer networks. Unlike viruses and worms, the threats that fall into this category are unable to make copies of themselves or self-replicate. Trojans are classified according to the type of action they perform on an infected computer.Class: Trojan-PSW
Trojan-PSW programs are designed to steal user account information such as logins and passwords from infected computers. PSW is an acronym of Password Stealing Ware. When launched, a PSW Trojan searches system files which store a range of confidential data or the registry. If such data is found, the Trojan sends it to its “master.” Email, FTP, the web (including data in a request), or other methods may be used to transit the stolen data. Some such Trojans also steal registration information for certain software programs.Read more
Platform: Win32
Win32 is an API on Windows NT-based operating systems (Windows XP, Windows 7, etc.) that supports execution of 32-bit applications. One of the most widespread programming platforms in the world.Description
Technical Details
This is a password and WebMoney information stealing Trojan program with the abilitiy to download its "upgrades" from Internet Web sites and replace itself with its new versions. The Trojan was implemented into freeware games packages and was distributed in this way in May 2001.
Because the Trojan can "upgrade" itself from Internet Web sites, the information below may not be completely correct for as yet unknown Trojan versions.
Installation
When the Trojan is run, it copies itself to the Windows system directory with the TASKSVR32.EXE name and registers itself in the registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun Microsoft Task Manager = tasksvr32.exe
If an error occures while creating that key (current user has no access to HKLM keys), the Trojan registers itself in the HKCU key:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun Microsoft Task Manager = tasksvr32.exe
The Trojan then creates the DLL file-helper COOLX.DLL in the Windows system directory. The original Trojan file (from which the Trojan started) is then deleted.
The Trojan also creates more registry keys and writes hexadecimal values there:
HKCUSoftwareMicrosoftDirectX
DRMInstallFocus = %hex valie% ; these four keys are
DRMInstallPlace = %hex valie% ; system time when trojan
DRMUpdateFocus = %hex valie% ; installs itself
DRMUpdatePlace = %hex valie% ; to the system
DRMVersion = %hex valie% ; trojan version
The Trojan then stays in the Windows memory as a hidden service process and is active until Windows restart.
Stolen Information
The Trojan sends its author the following information from an infected computer:
Computer name
User name
RegisteredOwner and RegisteredOrganization strings
Installed hardware information
Network resources with access mode
IP address
RAS information, Cached passwords
other Internet access logins and passwords
ICQ user information
WebMoney information and data files
Upgrading
Depending on several conditions, the Trojan obtains files from Internet sites, downloads them to the Windows temporary directory with the RTTY32.EXE name and spawns it. These files are the next Trojan versions, and they may have improved functionality.
Known Trojan versions download files from the following pages:
sfavp.chat.ru/update
widpage.chat.ru/update
Other
Some known versions also:
http://vrs.ru
http://ebooks.vov.ru
http://3w.ozonebooks.com
Read more
Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com