Overview
This trojan uploads harvested email address from infected computers to a website. Most likely the harvested addresses are used for SPAM (unsolicited email) purposes. They may be sold to spammers by the trojan author, or possibly used to seed other viruses and trojans in the future.
|
Minimum DAT
4742 (2006-04-17) Updated DAT4826 (2006-08-10) |
Minimum Engine
5.1.00 File LengthVaries |
Description Added
2006-04-15 Description Modified2006-04-15 |
Malware Proliferation
Characteristics
When run, the trojan displays nothing on the screen. It simply starts scanning files on the local system, looking for email addresses to POST to a PHP page on the following site:
- www.gabyphoto.com/pages/
Symptoms
The trojan creates an infection marker registry key:
- HKEY_CURRENT_USER\Software\FirstRun
Method of Infection
The trojan harvests email addresses from files with the following extensions:
- *.*
- .wab
- .txt
- .msg
- .htm
- .shtm
- .stm
- .xml
- .dbx
- .mbx
- .mdx
- .eml
- .nch
- .mmf
- .ods
- .cfg
- .asp
- .php
- .pl
- .wsh
- .adb
- .tbb
- .sht
- .xls
- .oft
- .uin
- .cgi
- .mht
- .dhtm
- .jsp
The trojan aviods harvesting addresses containing the following strings:
- rating@
- f-secur
- news
- update
- anyone@
- bugs@
- contract@
- feste
- gold-certs@
- help@
- info@
- nobody@
- noone@
- kasp
- admin
- icrosoft
- support
- ntivi
- unix
- bsd
- linux
- listserv
- certific
- sopho
- @foo
- @iana
- free-av
- @messagelab
- winzip
- winrar
- samples
- abuse
- panda
- cafee
- spam
- pgp
- @avp.
- noreply
- local
- root@
Removal
All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.
Variants