Details
TrojanDownloader.Win32.Keenval.f

Keenval is a Trojan downloder, which downloads an adware program to the victim computer. This adware redirects the browser to portal sites where more more adware may be downloaded.
The Trojan program itself is a Windows PE EXE file about 33 KB in size.
The Trojan tries to download a file from http://10.10.11.193:8260/adware/download/ and saves it as KeenValueInstall.EXE.
The Trojan will also attempt to redirect the browser to http://tracking.thunderdownloads.com

Details
TrojanDownloader.Win32.Greetyah.a
Greetyah downloads a file from the internet and sets an auto-run key in the system registry in order to establish automatic starts.
A mass mailing of this trojan program was detected on March 17th, 2003. Message text appears as follows:
Date: Mon, 17 Mar 2003 14:57:57
From: replymsg@g1.gc.vip.sc5.yahoo.com
To: Ivan Petrov
Subject: Elena_M sent you a Yahoo! Greeting

Yahoo! Greetings
Surprise! You’ve just received a Yahoo! Greeting
from from “Elena_M” (elena_m@mail.ru)!

To view this greeting card, click on the following
Web address at anytime within the next 30 days.

http://view.greetings.yahoo.com/greet/view?***********

If that doesn’t work, go to http://view.greetings.yahoo.com/pickup
and copy and paste this code:

BJWU37Y2S4A

Enjoy!

The Yahoo! Greetings Team
c 1996-2003 Yahoo! Greetings http://greetings.yahoo.com/

The program’s size is 3072 bytes and is written in the Assembler programming language.
At start the program displays the following message box:

Next the program downloads the file:
sysman32.exe

from the site:
http://view-greetings-yahoo.com

The file “sysman32.exe” contains the other trojan program:
Trojan.WebMoney.WMPatch.b

The trojan program copies this file to the Windows system directory and establishes an auto run key (for automatic starts) in the system registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SystemManager=\sysman32.exe

The program also contains the following encrypted strings:
Error Error on line 25: invalid object
Do you want to debug? InternetOpenA InternetOpenUrlA InternetReadFile
RegOpenKeyA RegSetValueExA RegCloseKey CloseHandle CreateFileA
GetSystemDirectoryA WriteFile wininet.dll advapi32.dll kernel32.dll

Details
TrojanDownloader.Win32.Dyfuca.a

This family of Trojans is designed to download a variety of adware and spyware to victim machines.
It spreads via the Internet as the Internet Optimzer utility; there are several modified versions:
InternetOptimizer/Iopti:
unknown-server errors, page-missing errors, server errors and even password-required errors are redirected to Internet Optimizer’s controlling server at www.internet-optimizer.com.
InternetOptimizer/Nem:
as Iopti, but searches are hijacked to yoogee.com (a search site run by the makers of InternetOptimizer).
InternetOptimizer/Wsem:
a larger version of the software, whose purpose is unclear.
InternetOptimizer/Crmrest:
an ActiveX downloader control for InternetOptimizer.
As a rule, the Trojan can be deinstalled from the system using the Control Panel: Add/Remove Programs, names Active Alert and Internet Optimizer.

Details
TrojanDownloader.Win32.Dler.11.a

When run, the Trojan installs itself to the system. While installing, the program downloads Trojans from a remote hacker’s site and runs them. Optionally, it can install downloaded Trojans in the Windows registry to start automatically.
The installed Trojan file name, the target directory and registry key are are stored in encrypted form in a Trojan file at the file end. A hacker may configure them before sending a Trojan to a victim’s machine or before placing them on a Web site or mass-mailing the Trojan.

Details
TrojanDownloader.Win32.Checkin
Checkin is a “downloader” trojan that downloads a given file from a certain site and runs it. The trojan itself is a Windows PE EXE file, written in MS Visual C++.
The trojan file sizes are of the following approximate sizes:
“Checkin.a”: 50Kb
“Checkin.b”: 45Kb

The trojan EXE file does not copy itself to any directory but creates a system registry auto-run key:
“Checkin.a”:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SysReg = %SystemDir%\SysReg

“Checkin.b”:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
OWMngr = %SystemDir%\OWMngr.exe

It seems that the trojan program should be completed by an “installator” that performs all steps for installing the trojan program into the system.
The trojan program also creates more registry keys:
HKCU\Software\IExplore Ads
AID
ID
LoggedIn

It uses these keys for its ‘internal’ needs.
Checkin then becomes an active process (this process is visible in the task list), downloads a file from a Web site, stores it on the hard disk using the name update.exe and executes this file.
The Web site name and remote file URL can vary. The Checkin trojan downloads this information from another Web site:

“Checkin.a”: http://tp.searchseekfind.com
“Checkin.b”: http://ads.onwebmedia.com

At these locations the trojan uses the “Checkin.pl” file.

Details
TrojanDownloader.Win32.Apher
Apher is malware virus in the wild that spreads as an attachment to spoofed e-mails using a legitimate Microsoft address. The email text is disguised as a Kaspersky Labs Anit-virus software update.
Below is a screen shot of a spoofed e-mail message infected with Apher:

Details
TrojanDownloader.BMP.Agent.a

Also known as TrojanDownloader.BMP.Agent.a.
This TrojanDownloader expolits a vulnerability in MS Windows accessible during viewing BMP files.
To date Agent only affects Russian versions of MS Windows 2000.
Agent may cause email clients to close on other versions of Windows or in other operating systems.
Agent launches the UrlDownloadToFileA function and downloads another Trojan, Backdoor.Throd.a from the a1qwertya1.biz.ly site. Throd is saved on the c drive as \sys.exe and launched.
Read more about Throd.a

Details
TrojanClicker.Win32.QHost.a
TrojanClicker.Win32.Qhost is a family of Trojan horses that primarily replace or alter the HOSTS file in which corresponding IP addresses and names of remote computers are held. Usually this leads to an increase in incoming traffic to the sites. To accomplish this a rule is used for expanding file names in TCP/IP: first the HOSTS file is examined and if there is no correspondence found, names are converted so that network services permit the name (more details can be found in operating system documentation).
Once the Trojan program is run, it modifies the HOSTS file by writing to it false correspondences such as:
645238813 auto.search.msn.com
38.117.144.29 www.altavista.com

This is done so that when handled by the msn.com and altavista.com servers the operating system detects a corresponding entry in the HOSTS file and sends a request to the 38.117.144.29. IP address.
The Trojan mainly uses high traffic and well-known Internet sites in order that the stream of requests to the false IP address is as great as possible.
Evildoers may be seeking to:
organize a DoS (denial of service) attack on a server
increase traffic to his or her site in order to increase advertising value
attract potential virus victims

Details
TrojanClicker.Win32.Lopin

This TrojanClicker is written in Cbuilder.
Installation
When installed, the Trojan copies itself to the Windows system directory as rundll32.exe and registers this file in the system registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ControlPanel]
Payload
The Trojan changes the file msblank.htm in the Windows system directory. Once altered, masblank.htm contains a link to the site cploving.awmhost.net. The user will always be directed to this site instead of being shown a blank page in Internet Explorer.

Details
Trojan.Win9x.Angriff

This is Win95/98/ME trojan program that attacks Xpresso financial information desktop (see http://www.spxpresso.com). The trojan intends to modify financial transactions, probably to forward these transaction to hacker’s bank account. The trojan does that by affecting Java run-time library that is used by Xpresso client which is written in Java.
The trojan was not tested in virus-lab, so we cannot guarantee forwarding money transfers to hacker’s or any else account. The fact is that trojan intercepts transactions, and modifies data in transaction control blocks.
The trojan is distributed being attached to Win32 PE EXE files. The trojan code is placed at the end of PE EXE files in virus-like way. When affected file is run, the trojan code gets control and installs main trojan component to the system. The control is then returned to host file.
The trojan cannot affect other PE EXE files by itself. There was a special “dropping” trojan component (command-line Win32 application) found that attached trojan code to victim PE EXE files by user’s request.
While installing into the system the trojan extracts from its code VxD component (main trojan component) and writes it to newly created MSREBOOT.VXD file to Windows system directory. This VxD is then registered in “VxD Services” registry key.
There are also more keys created in there:
HKLM\System\CurrentControlSet\Services\VxD\REBOOT\
RebootData = [zero-length data]
Start = 00
StaticVxD = “*REBOOT,MSREBOOT.VXD”
First key indicates the date when trojan will uninstall itself from the system. The trojan then wipes its VXD file with zeros, then deletes that file.
Second key is unknown.
Third key is auto-load registry key that forces Windows to load and activate VXD file when Windows is starting up.
When trojan VXD file is activated the main trojan procedure monitors file opening process and looks for Java runtime library JRT3230.DLL. The trojan then skips that library loading, waits when loading is completed and hooks the “do_execute_java_method_vararg” Java function.
The hooker then hooks all data that are processed by that function, including bank transfers that are done with using Xpresso client. The trojan parses transfer request structure, and replaces some fields in that request with other values. It seems the trojan replaces original destination bank account number with hacker’s one.

Details
Trojan.Win32.Xombe.a

This multi-component Trojan is able to download random files and launch them on the infected machine.
It spreads via email as an attachment to infected messages.
Infected messages
Sender’s address:
windowsupdate@microsoft.com
Message header:
Windows XP Service Pack 1 (Express) - Critical Update.
Message body:
Window Update has determined that you are running a beta version of Windows XP Service Pack 1 (SP1). To help improve the stability of your computer, Microsoft recommends that you remove the beta version of Windows XP SP1 and re-install Windows XP SP1. If you cannot remove the beta version, you should still reinstall Windows XP SP1.

Windows XP SP1 provides the latest security, reliability, and performance updates to the Windows XP family of operating systems. Windows XP SP1 is designed to ensure Windows XP platform compatibility with newly released software and hardware, and includes updates to resolve issues discovered by customers or by Microsoft’s internal testing team.

The maximum download size is approximately 3 MB, however the size of the download and time required may be less for computers that have had updates previously installed.

To minimize the download time needed for installation, setup will only download those files which are required to bring your computer up to date. Windows XP SP1 includes Internet Explorer 6 SP1. Anti-virus software programs may interfere with the installation of Windows XP SP1. Please disable anti-virus software while installing the service pack.

Just run the file winxp_sp1.exe in attach and make sure to restart your PC after installation will be completed.

(c) 2004 Microsoft Corporation. All rights reserved. Terms of Use Privacy Statement
Attachment name:
winxp_sp1.exe
The attached file is approximately 4KB in size.
This file is a TrojanDownloader, which downloads the main Trojan component from remote sites. This component is then installed to the Windows system directory under the name msvchost.exe.
This file is added to the system registry to ensure that the Trojan is launched each time Window is started.
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
mssvc = %system\msvhost.exe
The file is 27KB in size, packed using UPX. The unpacked file is over 100KB in size.
Once installed, the Trojan connects to a remote site in order to receive commands.
When this Trojan was detected, it installed a DLL under the name http_f.dll to the system. However, this is not a constant; the Trojan will install whatever file is on the website at the time.
This DLL is approximately 23KB in size and packed using UPX. The unpacked file is approximately 56KB in size.
The DLL is an HTTP client, which can conduct DoS attacks on random sites. The commands for conducting the attacks, and a list of sites to be attacked is also downloaded from the Internet by the Trojan.

This Trojan has a malicious payload. It is a Windows PE EXE file. It is 945664 bytes in size. It is not packed in any way. It is written in Delphi. Installation When launched, the Trojan copies itself as shown below: %Documents and Settings%\%user%\Start...

Details
Trojan.Win32.Xalnaga.a

This is a Win32 Trojan horse. When run, it modifies the Registry keys listed below and exits. The resulting effect of the Trojan running is the fact that Windows stays mostly non-functional: all icons on Desktop are removed, so it is not possible to reboot the machine in the usual way, etc.
The Trojan has the “copyright” string:
Tyrant-28881 {T-28881} virus
The affected registry keys are:
Key1:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDesktop = 1
Key2:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Winlogon

NoRun = 1
NoFind = 1
NoClose = 1
Key3:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

DisableRegistryTools = 1
Key4:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Winlogon

LegalNoticeCaption = <<< Xal Naga was here >>>
LegalNoticeText = The human era has come to an end, the new breed of humans will evolve right now !!! Behold and despair !!!
The results are:
all icons are removed from Desktop (key1)
the “Start” menu items are removed: Run, Find, Shut Down (key2)
standard Registry editors under WinNT are disabled(key3)
message box displayed on logon: (key4)

Because of a bug in the Trojan, Key3 is written to the Registry in an incorrect form, and this action doesn’t function - it is possible to run Regedit and repair affected keys.
Repair: set these keys to ‘0′ or delete them.
Regedit.exe run: select Start\Programs\Windows Explorer, then browse for Regedit.exe and run it.

Details
Trojan.Win32.VirtualRoot
This Win32 Trojan is dropped by the “CodeRed.c” worm. See IIS-Worm.CodeRed for more details.

Details
Trojan.Win32.VFL

This is a Trojan horse that sets several Windows parameters on a network so that it can set, under the author’s name, a 100% increase in Internet speed (for details, see http://www.optimizator.ru). Upon program installation, the program substitutes the SHDOCLC.DLL system file. As a result, when a requested Internet Explorer is displayed, a user is transferred to http://vfl.ru/js (henceforth the virus’ name). Upon deleting this program from a computer, the SHDOCLC.DLL file is altered.
This malicious program is a Trojan because of the following characteristics:
- It changes Windows system files unbeknownst to a user;
- It doesn’t have full uninstalling procedures;
- Upon program deleting, the SHDOCLC.DLL system file is not restored;
- It allows for the use of modified SHDOCLC.DLL files installed on a computer for malevolent (bad) purposes