Trojan.WebMoney.Wmpatch is a trojan program consisting of two executable Win32 PE-files: DBOLE.EXE and SICKBOY.EXE.These files are downloaded by the trojan program TrojanDownloader.Win32.Small.n. A mass mailing of this trojan program was detected on March 5th, 2003. Message text appears as follows:
From: Greeting cards [firstname.lastname@example.org] Sent: 5 March 2003 8:20 (actual text on this line is in Russian) To: Ivan Petrov Subject: You have received a card! (actual text on this line is in Russian) (Seen here is Russian text analagous to the the text in English just below.) Hello! You've got a postcard! To view this postcard, click on the link: http://www.yahoo-greeting-cards.com/*************/viewcard_680fe23d52.asp.scr You will be able to see it at anytime within the next 60 days. ____________________________________________________ Favorite postcards on http://www.yahoo-greeting-cards.com
File – DBOLE.EXE
The program creates a report file under the name:
Next the Trojan installs itself into the Windows registry auto-run key.
The following strings are contained within the file:
kernel32.dll rock the block c:wmkey.bin c:wmmem.bin CreateFileA WriteFile CloseHandle lstrlen CopyFileA DatabaseOLE false SoftwareMicrosoftWindowsCurrentVersionRun Command line: '%s' - Memory allocation failed + Shutting down - Bad file version - File writing error + File written + Prepare to patch + Entry point at %d (%x) + Patch at %d (%x) + Reading ok, %d bytes read - Error reading file + Memory allocation ok File size: %d bytes + Open file ok - WM not installed - Error opening file Patching: %s + Get path ok %s + Starting WMClient.dll SoftwareWebmoneyPath %s c:wmlog.bin
File – SICKBOY.EXE
"c:wmlog.bin", "c:wmmem.bin", "c:wmkey.bin"
They are sent to the address:
So this program can connect itself to the SMTP server and to form email text it converts binary files into text format.
The file conatains the following strings:
xfm1.txt RegisterServiceProcess kernel32.dll c:wmkey.bin c:wmmem.bin c:wmlog.bin WebMoney Keeper QUIT Subject: %s DATA RCPT TO:
|Find out the statistics of the threats spreading in your region|