Overview
-- Update June 2, 2008 --
A variant of this trojan family has recently been discovered which was used in a spear-phishing campaign. It was sent to executives at a number of companies, purporting to be a notice from the US Tax Court. If the link in the email is clicked, it indicates it's installing an Adobe Acrobat viewer, but in fact it's the PWS-Fireming.dll trojan.
More information on this incident can be found on the AvertLabs blog.
This trojan will download and execute malicious programs. It will also steal certificates stored in Internet Explorer.
|
Minimum DAT
5066 (2007-07-03) Updated DAT5793 (2009-11-05) |
Minimum Engine
5.1.00 File LengthVaries |
Description Added
2007-07-03 Description Modified2008-06-04 |
Malware Proliferation
Characteristics
-- Update June 3, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://redmondmag.com/news/article.asp?EditorialsID=9926
-- Update June 2, 2008 --
A variant of this trojan family has recently been discovered which was used in a spear-phishing campaign. It was sent to executives at a number of companies, purporting to be a notice from the US Tax Court. If the link in the email is clicked, it indicates it's installing an Adobe Acrobat viewer, but in fact it's the PWS-Fireming.dll trojan.
More information on this incident can be found on the AvertLabs blog.
This trojan will download and execute malicious programs. It will also steal certificates stored in Internet Explorer.
The trojan will connect to the following URL to receive further commands:
- http://203.121.[removed].232:80/OOO4/[removed].php?mod=cmd&user=computername&ext=my.pfx
It uses the following user agent string to spoof Mozilla Firefox HTTP requests:
- Mozilla/5.0 Gecko/20050212 Firefox/1.5.0.2
Further malware can also be downloaded to the following path and then executed.
- [%USERPROFILE%]\Local Settings\Temp\aol90.exe
This trojan will also collect certificates stores from Internet Explorer and send this information to the server. This information is first written to
- [%WINDIR%]\kb0758257.log
where it is then uploaded using a HTTP POST request.
(where %USERPROFILE% is the user profile directory on Windows e.g. C:\Documents and Settings\User Name\Local Settings,
where %WINDIR% is the Windows directory e.g. C:\Windows)
Symptoms
Presence of unexpected internet connection to previously mentioned url.
Presence of previously mentioned file.
Method of Infection
N/A
Removal
All Users:
Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:
2.Update to current engine and DAT files for detection and removal.
3.Run a complete system scan.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
1. Please go to the Microsoft Recovery Console and restore a clean MBR.
On windows XP:
Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.
On Windows Vista and 7:
Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.
Variants