| Description:
|
Details
Trojan.Win32.Eurosol.20
This is a Trojan horse that masks itself under the program of an actual provided credit card in exchange for viewing fifteen advertising banners. In actuality, the Trojan installs itself into a system and steals key files from the WebMoney.ru program, should this be installed on a victim's computer. This program allows users to utilize "virtual" money in the WebMoney.ru Transfer account, in which users make purchases from e-tailers (Internet retailers), and also between client systems. In addition to this, the virtual money can be converted into actual cash money, and vice versa. Additional information is available at www.webmoney.ru
Upon the Trojan's start-up, it displays a window offering a user the chance to view some advertising banners. At this point, the Trojan copies itself into the %WinDir% catalogue (installation catalogue in Windows) under the name of Netbios32.exe, and registers itself in the file System.ini:
[boot]
shell=Explorer.exe NetBios32.exe /run
In this way, the Trojan is guaranteed of being secretly started upon every system start-up. In addition to this, it checks the installed firewall ATGuard, and when detected, changes its settings so that ATGuard doesn't prevent the installation of the TCP/IP connection with the external servers. It also creates several service files in the %WinDir% catalogue.
At this point, the Trojan conducts a search of the installed WebMoney.ru file, along the way seeking the files Keys.kwm (secret key) and Purses.kwm (a virtual "wallet"). The files are encrypted and sent to an FTP server. The Trojan malefactor is then able to receive the stolen "wallet" and key to it from the server, hooking them to its personal WebMoney.ru program copy. Following this, it can transfer any money contained in the WebMoney.ru account to its own money account, or receive cash via postal transfer in the receiver's name. |
