Trojan.Win32.Xombe
Details
Trojan.Win32.Xombe.a
This multi-component Trojan is able to download random files and launch them on the infected machine.
It spreads via email as an attachment to infected messages.
Infected messages
Sender’s address:
windowsupdate@microsoft.com
Message header:
Windows XP Service Pack 1 (Express) - Critical Update.
Message body:
Window Update has determined that you are running a beta version of Windows XP Service Pack 1 (SP1). To help improve the stability of your computer, Microsoft recommends that you remove the beta version of Windows XP SP1 and re-install Windows XP SP1. If you cannot remove the beta version, you should still reinstall Windows XP SP1.
Windows XP SP1 provides the latest security, reliability, and performance updates to the Windows XP family of operating systems. Windows XP SP1 is designed to ensure Windows XP platform compatibility with newly released software and hardware, and includes updates to resolve issues discovered by customers or by Microsoft’s internal testing team.
The maximum download size is approximately 3 MB, however the size of the download and time required may be less for computers that have had updates previously installed.
To minimize the download time needed for installation, setup will only download those files which are required to bring your computer up to date. Windows XP SP1 includes Internet Explorer 6 SP1. Anti-virus software programs may interfere with the installation of Windows XP SP1. Please disable anti-virus software while installing the service pack.
Just run the file winxp_sp1.exe in attach and make sure to restart your PC after installation will be completed.
(c) 2004 Microsoft Corporation. All rights reserved. Terms of Use Privacy Statement
Attachment name:
winxp_sp1.exe
The attached file is approximately 4KB in size.
This file is a TrojanDownloader, which downloads the main Trojan component from remote sites. This component is then installed to the Windows system directory under the name msvchost.exe.
This file is added to the system registry to ensure that the Trojan is launched each time Window is started.
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
mssvc = %system\msvhost.exe
The file is 27KB in size, packed using UPX. The unpacked file is over 100KB in size.
Once installed, the Trojan connects to a remote site in order to receive commands.
When this Trojan was detected, it installed a DLL under the name http_f.dll to the system. However, this is not a constant; the Trojan will install whatever file is on the website at the time.
This DLL is approximately 23KB in size and packed using UPX. The unpacked file is approximately 56KB in size.
The DLL is an HTTP client, which can conduct DoS attacks on random sites. The commands for conducting the attacks, and a list of sites to be attacked is also downloaded from the Internet by the Trojan.
Related Posts