TrojanDownloader.Win32.Greetyah
Details
TrojanDownloader.Win32.Greetyah.a
Greetyah downloads a file from the internet and sets an auto-run key in the system registry in order to establish automatic starts.
A mass mailing of this trojan program was detected on March 17th, 2003. Message text appears as follows:
Date: Mon, 17 Mar 2003 14:57:57
From: replymsg@g1.gc.vip.sc5.yahoo.com
To: Ivan Petrov
Subject: Elena_M sent you a Yahoo! Greeting
Yahoo! Greetings
Surprise! You’ve just received a Yahoo! Greeting
from from “Elena_M” (elena_m@mail.ru)!
To view this greeting card, click on the following
Web address at anytime within the next 30 days.
http://view.greetings.yahoo.com/greet/view?***********
If that doesn’t work, go to http://view.greetings.yahoo.com/pickup
and copy and paste this code:
BJWU37Y2S4A
Enjoy!
The Yahoo! Greetings Team
c 1996-2003 Yahoo! Greetings http://greetings.yahoo.com/
The program’s size is 3072 bytes and is written in the Assembler programming language.
At start the program displays the following message box:
Next the program downloads the file:
sysman32.exe
from the site:
http://view-greetings-yahoo.com
The file “sysman32.exe” contains the other trojan program:
Trojan.WebMoney.WMPatch.b
The trojan program copies this file to the Windows system directory and establishes an auto run key (for automatic starts) in the system registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SystemManager=\sysman32.exe
The program also contains the following encrypted strings:
Error Error on line 25: invalid object
Do you want to debug? InternetOpenA InternetOpenUrlA InternetReadFile
RegOpenKeyA RegSetValueExA RegCloseKey CloseHandle CreateFileA
GetSystemDirectoryA WriteFile wininet.dll advapi32.dll kernel32.dll
Related Posts