|
TrojanProxy.Win32.Webber. Viruses Information
| Name: |
TrojanProxy.Win32.Webber. |
| Category: |
Viruses |
| Description:
|
Details
TrojanProxy.Win32.Webber.a
Webber (aka Heloc) is a Win32 trojan program that installs a hidden proxy server on victim machines (with up to 100 connections), reports IP addresses and cached passwords of victim machines to its 'master'. The trojan also downloads (from a URL) and executes other EXE files such as its upgrades.
The Webber trojan was mass-mailed on July 16, 2003. The message had an attached "downloader" (see below) with the name web.da.us.citi.heloc.pif:
Infected messages
Message header:
Re: Your credit application
Message body:
Dear sir, Thank you for your online application for a Citibank Home Equity Loan. In order to be approved for any loan application we pull your Credit Profile
and Chexsystems information, which didn't satisfy our minimum needs. Consequently, we regret to say that we cannot approve you for Citibank Home Equity Loan at this time. *Attached are copy of your Credit Profile and Your Application that you submitted with us. Please take a close look at it, you will receive hard copy by mail withing next few days.
Installation
When the downloader is run it downloads and executes the main trojan EXE file which creates an additional DLL "helper".
The trojan has three components:
EXE downloader (5664 bytes in size)
EXE trojan (39140 bytes in size)
DLL component (5633 bytes in size)
The main EXE component copies itself to the Windows system directory using randomly selected names and also drops the DLL component under a randomly selected name as well.
The trojan program does not register itself in any auto-run registry key or Windows INI files. However, when the trojan is run, it will modify the following registry keys:
[HKCRCLSID{79FA9088-19CE-715D-D85A-216290C5B738}]
InProcServer32 = %trojan DLL name%
ThreadingModel = Apartment
[HKLMSoftwareMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad]
Web Event Logger = {79FA9088-19CE-715D-D85A-216290C5B738}
As a result, upon the correct set of events the trojan DLL file will be activated.
The code contains the following copyright text string:
Webber10 |
Top Viruses Visited Pages:
Invader. - 239 visits
not-a-virus:RiskWare.Tool.RegPatch. - 72 visits
Worm.P2P.Harex. - 66 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win16.Klon.1177 - 42 visits
Win32.Hidra - 42 visits
Marine.500 - 35 visits
Random Viruses Pages:
Sink.40
Natas.477
Macro.Word.Cristal
Emas.245
BAT.Batalia
Fair Famil
Viking.1000.
Stinger.71
Sundevil.69
Babec.
|
