Password-protected Trojan slides under antivirus scans

By Edmund X. DeJesus, Information Security magazine Contributor 24 Nov 2003 | Information Security magazine

Digg This!     StumbleUpon     Del.icio.us

Antivirus experts recommend updating signatures and other mitigations to protect against a Trojan that uses a seemingly safe password-protected zip file to deliver its payload.

Experts aren't in agreement on naming conventions and call it: Troj/Tofger.A, MultiDropper.GP.A, TrojanDropper.JS.Mimail.B and Trojan.Sefex. It logs keystrokes and sends them to a remote location on an active Internet connection. It runs automatically when Windows starts by modifying system.exe file, registry entries and other settings.

The Trojan arrives via e-mail with a blank subject, a password-protected MyProfile.zip attachment, and includes the password in the message body. The zip attachment flies under the radar of most antivirus software, and an unsuspecting user inputs the password to open the zip file. Inside is an HTML file (Profile.html), which in turn drops the payload (dating.exe, or something equally enticing).

While this Trojan doesn't self-replicate, it propagates through e-mail, IRC, peer-to-peer sharing and other delivery methods. To mitigate the problem, change compromised passwords, edit the target registry entry or delete Windows files. You can also disable HTML e-mail, either filtering at the perimeter or at the client.

Digg This!     StumbleUpon     Del.icio.us

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary