This is Win95/98/ME trojan program that attacks Xpresso financial information
desktop (see http://www.spxpresso.com). The trojan intends to modify financial
transactions, probably to forward these transaction to hacker’s bank account.
The trojan does that by affecting Java run-time library that is used by
Xpresso client which is written in Java.
The trojan was not tested in virus-lab, so we cannot guarantee forwarding
money transfers to hacker’s or any else account. The fact is that trojan
intercepts transactions, and modifies data in transaction control blocks.
The trojan is distributed being attached to Win32 PE EXE files. The trojan code
is placed at the end of PE EXE files in virus-like way. When affected file is
run, the trojan code gets control and installs main trojan component to the
system. The control is then returned to host file.
The trojan cannot affect other PE EXE files by itself. There was a special
“dropping” trojan component (command-line Win32 application) found that
attached trojan code to victim PE EXE files by user’s request.
While installing into the system the trojan extracts from its code VxD
component (main trojan component) and writes it to newly created MSREBOOT.VXD
file to Windows system directory. This VxD is then registered in “VxD
Services” registry key.
There are also more keys created in there:
RebootData = [zero-length data]
Start = 00
StaticVxD = “*REBOOT,MSREBOOT.VXD”
First key indicates the date when trojan will uninstall itself from the
system. The trojan then wipes its VXD file with zeros, then deletes that file.
Second key is unknown.
Third key is auto-load registry key that forces Windows to load and activate
VXD file when Windows is starting up.
When trojan VXD file is activated the main trojan procedure monitors file
opening process and looks for Java runtime library JRT3230.DLL. The trojan
then skips that library loading, waits when loading is completed and hooks the
“do_execute_java_method_vararg” Java function.
The hooker then hooks all data that are processed by that function, including
bank transfers that are done with using Xpresso client. The trojan parses
transfer request structure, and replaces some fields in that request with
other values. It seems the trojan replaces original destination bank account
number with hacker’s one.