Trojan Win32 Flogash a
1. Summary:
Flogash.a is a trojan horse sized from 384 kB to 1,45 MB. It steals sensitive data such as key strokes and sends them back to the attacker.
Aliases:
Symantec: Trojan.Flogash
2. Detailed description:
After the first run, the trojan Flogash.a creates four files in the Windows system directory"
%SYSTEM%\div52x
%SYSTEM%\div52x.exe
%SYSTEM%\nvfw96
%SYSTEM%\nvfw96.exe
Trojan Flogash.a may also create executable Macromedia Flash files in the %TEMP% directory.
Next, the Trojan creates the following registry entries so that it gets executed whenever Windows starts:
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1871276A-3AE9-E43D-0400-000505000107}]
"StubPath"="%System%\div52x.exe"
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{076200C7-8302-FDAA-0404-070602000300}]
"StubPath"="%System%\nvfw96.exe"
Trojan Flogash.a injects itself into the running instance of the Microsoft Explorer (attention, Explorer is not the Microsoft Internet Explorer and runs always on the background) and grabs all user key strokes and stores them in the Windows system directory:
%SYSTEM%\div52x
%SYSTEM%\nvfw96
The information about infected computers as well as all the gathered data (including passwords, ebanking information etc.) are sent by the Flogash.a back to the attacker using TCP port 82 or 6112 to create the socket to hosts:
dasmurmeltier.ath.cx
sucka.mine.nu
These are dynamic dns hosts and the attacker can change the DNS so that the targeting ip gets changed.
3. Cleaning:
- Reboot the PC into the safe mode.
- Delete the files:
%SYSTEM%\div52x
%SYSTEM%\div52x.exe
%SYSTEM%\nvfw96
%SYSTEM%\nvfw96.exe
- Delete the whole key '{1871276A-3AE9-E43D-0400-000505000107}' from this registry key:
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1871276A-3AE9-E43D-0400-000505000107}]
"StubPath"="%System%\div52x.exe"
- The same goes for '{076200C7-8302-FDAA-0404-070602000300}' from the key:
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{076200C7-8302-FDAA-0404-070602000300}]
"StubPath"="%System%\nvfw96.exe"
- Reboot back into the normal mode
0 writebacks [10/24/2007 02:11]
[]
permanent link
|
