Home / malwarePDF  

TrojanSpy:Win32/Worsmep.A


First posted on 15 October 2010.
Source: SecurityHome

Aliases :

There are no other names known for TrojanSpy:Win32/Worsmep.A.

Explanation :

TrojanSpy:Win32/Worsmep.A is a trojan that modifies the infected computer's Hosts file, and monitors the user's Internet activities.
Top

TrojanSpy:Win32/Worsmep.A is a trojan that modifies the infected computer's Hosts file, and monitors the user's Internet activities. Installation Upon execution, TrojanSpy:Win32/Worsmep.A displays the following dialog box: If the user clicks the 'OK' button, the trojan creates the following file: %Program Files%\Yahoo\y_updater.exe TrojanSpy:Win32/Worsmep.A also modifies the registry so that the above file is executed on each Windows start: In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Sets value: €œy_updater€ With data: "%Program Files%\Yahoo\y_updater.exe" Payload Modifies Hosts file TrojanSpy:Win32/Worsmep.A modifies the Windows Hosts file. The local Hosts file overrides the DNS resolution of a website URL to a particular IP address. Malicious software may make modifications to the Hosts file to redirect specified URLs to different IP addresses. Malware often modifies a computer's Hosts file to stop users from accessing websites associated with particular security-related applications (such as antivirus for example). TrojanSpy:Win32/Worsmep.A overwrites the Hosts file, located at <system folder>\drivers\etc\hosts, with the entries listed below:

  • 198.63.38.53 escrow.com
  • 198.63.38.53 www.escrow.com
  • 198.63.38.53 imgs.escrow.com
    • Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. This causes the browser to be directed to I.P. 198.63.38.53 when the user attempts to visit any of the escrow websites listed in the Hosts file. At the time of writing, the I.P is a phishing website that looks identical to the legitimate escrow.com website. Monitors Internet activity TrojanSpy:Win32/Worsmep.A also monitors Internet sessions, looking to see if the a certain server script is accessed. If so, the trojan logs information sent to the script and saves it to the file location C:\Windows\system32\logfiles\pcm_records.txt.

    Analysis by Amir Fouda

    Last update 15 October 2010

     

    TOP

    Malware :

    Family: