Kaspersky Threats — FireAnvil

Class

Platform

Description

Technical Details

This is a trojan program that is built into the “Firehand Ember Millenium”
commercial software (produced by the Firehand Technologies Corporation,
http://www.firehand.com).

The trojan was found in version “5.2.3.0” of this software, in beginning of September 2002. The trojan was found in original “Firehand Ember” package, and it was available for download at Firehand Web site: http://www.firehand.com/Ember/index.html.

Next week after the trojan was found, the trojan package was removed from download area and replaced with another “5.2.3.0” version where trojan components were removed.

The trojan components were found in two files in this package:

 Ember32.exe  - the main executable file
 fireutil.dll - program's library

On activating the trojan displays the message:

 CrAcKiNg SoFtWaRe! PlEaSe WaIt!

Then it looks for all files on the drive where Windows is installed, and
overwrites files with the text:

 CzY CrAcKiNg CrUe! We CrACk EvErYtHiNg!

The trojan is activated on entering registation data:

   Registered User ID: [_________]
   Registration Key:   [_________]

in case the “Registered User ID” field contains the “czy czy” string (any cased).

Class	Trojan
Platform	Win32
Description	Technical Details This is a trojan program that is built into the “Firehand Ember Millenium” commercial software (produced by the Firehand Technologies Corporation, http://www.firehand.com). The trojan was found in version “5.2.3.0” of this software, in beginning of September 2002. The trojan was found in original “Firehand Ember” package, and it was available for download at Firehand Web site: http://www.firehand.com/Ember/index.html. Next week after the trojan was found, the trojan package was removed from download area and replaced with another “5.2.3.0” version where trojan components were removed. The trojan components were found in two files in this package: Ember32.exe - the main executable file fireutil.dll - program's library On activating the trojan displays the message: CrAcKiNg SoFtWaRe! PlEaSe WaIt! Then it looks for all files on the drive where Windows is installed, and overwrites files with the text: CzY CrAcKiNg CrUe! We CrACk EvErYtHiNg! The trojan is activated on entering registation data: Registered User ID: [_________] Registration Key: [_________] in case the “Registered User ID” field contains the “czy czy” string (any cased).

Trojan.Win32.FireAnvil

Technical Details