Overview
Characteristics
This detection is for a password stealing trojan, originating from China. The detection covers the password stealer itself, and also a configuration/generation application.
The password-stealer portion is for registered users who owns a 163.com email account. The program retrieves information such as the following:
- internet game accounts/passwords
- chat program passwords/userprofiles (eg. icq)
The information is emailed to the hacker. Passwords are stored in a user-defined text file on the system. When the hacker wants to use the stolen passwords a hotkey (Ctrl_Alt_K) is provided. A screenshot of the configuration program is shown below:
When the password-stealing trojan is executed, it opens a random port on the infected user's system. An email is then sent to the hacker to inform him of this. The trojan also claims to bring down the firewall as well, however this was not observed in testing.
Symptoms
When this trojan is run for the first time, the file SAVEALL2002.INI is created in %WinDir%.
The trojan component (which uses a text document icon) installs itself as %WinDir%\XMANV2002.EXE and modifies the following Registry key to execute itself at startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"system32" = C:\windows\xmanv2002.exe
The following files are also dropped:
- %WinDir%\SYSTEM\KV30002002.DLL
- %WinDir%\COMELETGO.DAT
Method of Infection
This application can be downloaded from the web. Infection happens upon executing.
Removal
All Users:
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants