Whitewell

-- Update November 4, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at: http://www.theregister.co.uk/2009/11/03/trojan_cnc_pokes_facebook/

--

When executed, this trojan drops a copy of itself in the following locations:

• %Temp%\setup.exe

It then creates the following registry entry to ensure its execution at system startup:

• HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Run
  Key: "MCAFEEIPS"
  Data: "%Temp%\setup.exe"

Note:

• %Temp% refers to a variable location, and a typical path is "C:\Documents and Settings\User_Name\Local Settings\Temp"

Once infected, the trojan connects to www.m.facebook.com. It then logs into a profile created by the attacker and awaits further instructions from its attacker, thus acting like a "bot".

The attacker once connected to the machine, can perform the following actions on the victim's machine:

• Retrieve system information
• Connect to download files from the URLs.
• Execute programs remotely

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.

Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.