|
1. Been infected with spyware? Tell us about your problem. 2. Protect your PC from viruses, spyware. 3. For fast automatic spyware removal, try CounterSpy, SUPERAntiSpyware |
Trojan Horse keylogger steal end-user information for popular online games.
Websense® Security Labs™ has received reports of a malicious website, which is hosting a Trojan Horse keylogger. This keylogger is designed to steal end-user information for popular online games. The malicious code’s filename is main_n80.scr and was discovered on a site, which appears to be a fraudulent version of the Nokia Taiwan website.
The site uses a cousin domain name and simply has an image screenshot of the real Nokia Taiwan website. It is hosted in Hong Kong and appears to have been registered with fraudulent information.
The main_80.scr file is an SFX self-extracting executable file that contains four files:
* download.exe
* winlogin.exe
* server.exe
* error.jpg
When the main_80.scr file is executed, it will use download.exe to copy the extracted files to the system32 dir and execute its version of run32dll.exe. The rundll32.exe file will show error.jpg. Once the user closes the .jpg file,rundll32.exe will execute the rest of the extracted .exe files.
These extracted .exe files modify the registry, as detailed below, to ensure that it starts on restart, and checks for the existence of the application Lineage.
* Modifies or creates files and stores in system32 directory
* Kerne0110.exe is a copy of winlogin.exe
* Rundll32.exe is a copy of download.exe
* gg.bat is created
* _2dll.dll is created
* microsoftie0110.dll is created
* msabc.dll is created
* pKerme123.dll is created
* RegistryInfo.dll is created
Submit to: Digg | SlashDot | Del.icio.us
3 Comments »
RSS feed for comments on this post. TrackBack URI
Leave a comment
Previous Posts:
- VirusRemover2008 - fake antispyware | How to remove
- Fresh rogue antispyware: WistaAntivirus, WinDefender, SpywareScanner2008
- FixIEDef - free program for removing rogue antispyware
- Found new fake antispyware - PestSweeper
- MalwareProtector2008 - fresh rogue antispyware.
- How to disable the autorun feature to prevent malware from spreading
- Zinaps - fresh fake antispyware
- How to remove trojans that uses autorun.inf file
- Fresh rogue antispyware: AdvancedXPFixer and DisableSpyware
- Found new rogue antispyware - XPSecurityCenter
- AntiSpywareMaster and RegistryGreat | How to remove
- How to remove new rogue antispywares Malware Bell and IE Antivirus
- How to remove softwarereferral/safewebnavigate hijackers and etlrlws toolbar
- How to uninstall combofix
- Found new rogue antispyware programs
- How to remove braviax.exe/cru629.dat/users32.dat malware
- VirusHeat rogue antispyware - How To Remove
- Fresh updates to Ad-Aware and SpyBot-search & Destroy
- How to remove core.cache.dsk and parportt.sys
- How to remove CID popups
Forum posts:
- Removing CiD pop-ups
- Win:32KdCrypt(Cryp)
- Have a Joke-Bluescreen and XP Antivirus 2008 problem
- Adware and PUA - i need help
- Combofix Virus [W32.Scrapkut worm]
- Need help with antivirus spyware
- XP Antivirus 2008/2009, Malaware
- autorun malware removal
- Popup Problems
- xpsecuritycenter infection, as well as braviax
- Empty Device manager list = (apropos virus??)
- HijackThis log here, help please :) [ AntivirusXP ]
- False Pop-UPs Help
- Joke Bluescreen - HELP!!! [Antivirus XP]
- Windows Explorer closes by itself.
- prorat infection that doesnt go away
- Please help w/ Vundo
- Infected with Trojan.Vundo PLEASE HELP
- Infected with Zinaps7 virus. Hijackthis log included.
- Bifrose detected, what to do? using combofix?
Categories:
- Pop-Up Blockers and Firewalls (rss) (5)
- Adware (rss) (10)
- Anti Virus Software (rss) (11)
- Best Programs (rss) (3)
- Browser Hijacking (rss) (13)
- Critical patch (rss) (21)
- Exploits & Vulnerabilities (rss) (58)
- FAQ (rss) (8)
- Free Software (rss) (64)
- Identity Theft (rss) (8)
- Internet Browsers and Mail and News readers (rss) (12)
- Linux (rss) (4)
- Malware (rss) (11)
- Online Scanners (rss) (11)
- Phishing (rss) (2)
- Rogue Anti Spyware (rss) (43)
- Rookit (rss) (3)
- spyware (rss) (2)
- Spyware protection and removal (rss) (76)
- Tips (rss) (79)
- Trojan (rss) (36)
- Tutorials - "How to" (rss) (68)
- Updates (rss) (16)
- Virus (rss) (19)
- Worms (rss) (14)
Archives:
- July 2008 (3)
- June 2008 (4)
- May 2008 (5)
- April 2008 (1)
- March 2008 (4)
- February 2008 (3)
- January 2008 (2)
- December 2007 (7)
- November 2007 (27)
- October 2007 (4)
- July 2007 (2)
- June 2007 (3)
- April 2007 (1)
- March 2007 (6)
- February 2007 (6)
- December 2006 (1)
- November 2006 (2)
- October 2006 (7)
- September 2006 (2)
- August 2006 (10)
- July 2006 (7)
- June 2006 (22)
- May 2006 (18)
- April 2006 (12)
- March 2006 (24)
- February 2006 (33)
- January 2006 (52)
- December 2005 (50)
- November 2005 (66)
Blogroll
- PC Tips
- Sans Org - Internet Storm Center
- Spyware RU
- Sun Belt Blog
Help Us:
- MyAntiSpyware needs your support. Please make link from your site to us.
Use the button:
Bookmark Us:
MY ANTI SPYWARE Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds.
Valid XHTML and CSS. ^Top^
Evidence of a website that appears to be hosting a malicious keylogger trojan horse
Trojan horses (software that includes “features” that may work against the user’s intentions) are hardly…
Trackback by Steve Lamb's Blog — March 15, 2006 #
Thanks for the interesting website - keep up the good work.
Comment by Steve Lamb — March 15, 2006 #
Trojan report.
Just picked up the following warning:
Websense® Security Labs™ has received reports of a malicious website, which is hosting a Trojan Horse keylogger. This keylogger is designed to steal end-user information for popular online games. The malicious…
Trackback by Nursing and some other bits — March 15, 2006 #