| Description:
|
Details
Trojan.Win32.Lovadot.d
This Trojan program is written in VB5, and compiled as a PCode application, about 46KB in size, which usually enters the system as a file named "movie.exe".
When run, it will first attempt to make a copy of itself in "c:windowssystemsysgo.exe", and will also create a batch file named "c:sysgo.bat", which is supposed to keep making copies of the "sysgo.exe" instance in the Windows (9X) startup directory, so it will get executed every time the system is started. If the operating system is not Windows 95, 98 or ME, the Trojan installation routines will fail, and the Trojan will not be executed with every system reboot.
The Trojan also inserts a line stating "sysgo" in "c:autoexec.bat", and when everything is finished, a file named "pawn.dat" is dumped in the current directory, which contains a single word, "Done". The active Trojan part does not attempt to listen to any ports, and has no backdoors inside. However, if an Internet connection is available, depending on several conditions, it will connect to the "www.loveadot.com" server, and perform a series of tasks.
The main purpose of these tasks seems to be looking through a search engine for pages belonging to or containing the keyword "kcsmith", and then to find AD ("Advertising") pop-ups in those pages, and do the equivalent of "clicking" them.
We assume that "kcsmith" has setup a certain amount of "Pay on click" pages, and is using the Trojan to make money from unsuspecting users.
Another routine in the Trojan will read the value stored in the "http://www.loveadot.com/server.txt", add it into an internal list, then the Trojan will connect to the "www.loveadot.com" server and will try to access a certain page sending the IP address as a parameter. The respective page is either no longer available, or was has not yet been uploaded. The Trojan will also attempt to access the server having the address specified in the "server.txt" file, and send various data to it. At this time, the address from "server.txt" belongs to a machine located in the US, and seems to be down. |
