Добавлено: 03/05/04 в 14:23

Уже неделю воюю с зарозой
вроде вычистил, но 100% уверености нет
Причем троянец активизировался только при посещении ряда сайтов
вебмани, мдм-банк, терра и т.д.
вот описание с 2 сайтов

McAffe Virus Profile

Virus Information
Name: BackDoor-CCT
Risk Assessment
- Home Users: Low
- Corporate Users: Low
Date Discovered: 4/13/2004
Date Added: 4/13/2004
Origin: Unknown
Length: 17,552 bytes (EXE, FSG-packed)
14,336 bytes (DLL)
Type: Trojan
SubType: Remote Access
DAT Required: 4351


Virus Characteristics

This trojan bears strong similarities to the W32/Dumaru family (see for example W32/Dumaru.w ). It opens a backdoor on the victim machine, and also steals data from the machine. Such data includes:

email passwords
application passwords (eg. FAR manager)
WebMoney data
logged keystrokes
clipboard data
The trojan targets applications with specific strings in the window title in an attempt to log keystrokes related to online finiancial transactions. Windows with titles containing any of the following strings are targetted:

gold
Storm
e-metal
WebMoney
WM Keeper
Keeper
Fethard
fethard
bull
Bull
mull
PayPal
Bank
bank
cash
ebay
ePass
iKobo
Fidelity
The trojan also harvests data from the temporary internet files on the victim machine.

Data is sent to the hacker via HTTP (a completed HTML form is written to %WinDir%\TEMP\feff35a0.htm, and IEXPLORE.EXE is launched to initiate its posting). Users should block HTTP access to the following domain:

http://govno.ws (во бляди!)
Stolen data may also be sent to the hacker via email - the trojan contains its own SMTP engine to construct outgoing messages.

The backdoor functionality includes an FTP server, screen captures, webcam control and file execution.



Indications of Infection

unexpected outgoing HTTP traffic to the domain indicated above
existence of the files and Registry keys detailed in this description
multiple unexpected instances of IEXPLORE.EXE running in the background (no visible window)




Method of Infection

The trojan installs itself in the Windows system folder as PRNTA.EXE and PRNTC.EXE, for example:

C:\WINNT\SYSTEM32\PRNTA.EXE
C:\WINNT\SYSTEM32\PRNTC.EXE
A copy is also dropped in the Windows startup folder as PRNTB.EXE, for example:

C:\DOCUMENTS AND SETTINGS\USER2\START
MENU\PROGRAMS\STARTUP\PRNTB.EXE
A keylogging DLL is installed in %WinDir% as PRNTSVR.DLL:

C:\WINNT\PRNTSVR.DLL
The following Registry key is added to hook system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "load32" = C:\WINNT\SYSTEM32\PRNTA.EXE
The following key is changed:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon "Shell"
from:

Explorer.exe
to:

Explorer.exe C:\WINNT\SYSTEM32\PRNTC.EXE
The following Registry key is also added:

HKEY_CURRENT_USER\SARS
Clipboard contents and logged keystrokes are written to the following files respectively:

%WinDir%\prntk.log
%WinDir%\prntc.log
The HTML form that is dropped to facilitate sending stolen data to the hacker via HTTP, is written to:

%WinDir%\TEMP\feff35a0.htm
A raw MIME message containing stolen data is written to:

%WinDir%\TEMP\fa4537ef.tmp




Removal Instructions

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations


SOPHOS

Troj/Dumaru-X
Type
Trojan

Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the June 2004 (3.82) release of Sophos Anti-Virus.

Customers using Enterprise Manager, PureMessage and any
of the Sophos small business solutions will be automatically protected at their next scheduled update.


At the time of writing, Sophos has received just one report of this Trojan from the wild.


Description
Troj/Dumaru-X is a backdoor Trojan that acts as a password stealer.
When executed Troj/Dumaru-X copies itself to the Windows system folder
with the filenames prnta.exe and prntc.exe and to the Startup folder
with the filename prntb.exe.

In order to run automatically when Windows starts up Troj/Dumaru-X sets
the registry entries

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
load32 = C:\WINDOWS\<system>\prnta.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Shell= explorer.exe C:\WINDOWS\<system>\prntc.exe

Troj/Dumaru-X creates a number of new files in the Windows folder as following

prntc.log
prntk.log
prntsvr.dll
fa4537ef.tmp
feff35a0.htm

where prntsvr.dll is a keyloging DLL component of the Trojan, and prntc.log
and prntk.log are clipboard contents and keystrokes log files.

Running at the background Troj/Dumaru-X logs the keystrokes of the applications
that contains next strings in their Windows title

gold
Storm
e-metal
WebMoney
WM Keeper
Keeper
Fethard
fethard
bull
Bull
mull
PayPal
Bank
bank
cash
ebay
ePass
iKobo
Fidelity

Troj/Dumaru-X tries to connect to http://govno.ws and send out the stolen
information in an HTML as feff35a0.htm or in email as fa4537ef.tmp where
the last one is the MIME message.


Recovery
Please follow the instructions for removing Trojans.

Change any data that may have become compromised.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
load32 = C:\WINDOWS\<system>\prnta.exe

and delete it if it exists.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell

it should contain a reference to explorer.exe (or possibly NALWIN32.exe if you are using NetWare) only. Remove any reference to any file you deleted. You may need to replace the reference to explorer.exe.

Close the registry editor.

===================================

похоже придецца все пароли менять...

Добавлено: 03/05/04 в 15:42

Angry Bull, как раз про этот троян писали в трепе, его спамили чисто по базе АВМов что-то про ruPAY.

Он мало того что ворует пассы от всех этих платежных систем, так еще и кейлогер - который отсылает логи ЧЕРЕЗ IE, поэтому файрволы сосут..

Переставляй винду лучший вариант..

Добавлено: 03/05/04 в 16:08

До чего дошел прогресс :-)
Человек конкретно поработал над продуктом.

Добавлено: 03/05/04 в 22:23

Ссылка была в письме с темой "Как Rupay кидает людей". Сам чуть не попался Эту дрянь AVP ловит обновленное. Пройдись свежим, на всякий случай. А пароли, для перестраховки, смени, у него же SMTP движок встроенный, мало ли что успел отослать.