| Description:
|
Details
Trojan.PSW.GIP.107
This program belongs to the family of password-stealing Trojans.
When run, the Trojan installs itself to the system, and while installing, copies itself to Windows, Windows system, Windows temporary, or WindowsRECYCLED directory and registers itself in the system registry auto-run section. For example:
Trojan full name: WINDOWSSYSTEMshel.exe
Registry keys:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun Welcome = %SystemDir%shel.exe
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices Service = SystemDirshel.exe <- "Sevice" not "Service"
HKLMSoftwareMicrosoftWindowsCurrentVersionRun Config = %SystemDir%shel.exe
The installed Trojan file name and target directory are optional. They are stored in encrypted form in the Trojan file at the file end. A hacker may configure them before sending the Ttrojan to a victim machine, or before putting it on a Web site.
The Trojan then registers itself in the system as a hidden application (service), and the Trojan process then is not visible in task list. Being active in the system, the Trojan periodically sends e-mail messages to its host (hacker's e-mail address, also is optional). The message contains the following:
computer information (processor, display settings, disk free space, RAM size, etc.)
RAS DilaUp information, cached passwords (login name and password)
Internet access login and password
ICQ UIN and password
The Trojan can download a file from a specified Internet site and registers it in the Registry auto-run key:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnce Welcome = TMP15F.EXE
The Trojan also creates, modifies and in some cases deletes the Registry keys:
HKCUSoftwareMicrosoftWindows
File1
File2
File3
Count
Date
LastError
ver
The Trojan (also optional) may drop a "decoy" component - a joke program, game, other kind of attractive program. This is done to deceive a user and disguise the Trojan's installation by a decoy component. |
