Home / malware Trojan:Win32/Wisp.A
First posted on 12 March 2010.
Source: SecurityHomeAliases :
Trojan:Win32/Wisp.A is also known as Trojan.Win32.Cosmu.ons (Kaspersky), BackDoor-EMN (McAfee).
Explanation :
Trojan:/Win32.Wisp.A steals sensitive information from the compromised computer, and allows an attacker to gain unauthorized access to the system in order to perform additional malicious actions, including downloading and executing arbitrary files. This trojan is installed by Trojan:Win32/Wisp.B.
Top
Trojan:/Win32.Wisp.A steals sensitive information from the compromised computer, and allows an attacker to gain unauthorized access to the system in order to perform additional malicious actions, including downloading and executing arbitrary files. This trojan is installed by Trojan:Win32/Wisp.B. In the wild, it has been reported that this trojan has been distributed via malicious web pages that attempt to exploit the vulnerability described by Microsoft Security Advisory 981374. This exploit is detected as Exploit:JS/CVE-2010-0806. Installation Trojan:Win32/Wisp.A is a detection for a DLL that is dropped by Trojan:Win32/Wisp.B, and is loaded from the following file location:%Temp%\wshipl.dll
Payload
Steals system information The trojan contacts a script on the domain "topix21century.com" through HTTPS, and sends sensitive system information such as:Computer name I.P.address Proxy server and port number Backdoor functionality Trojan:Win32/Wisp.A downloads a configuration file that may contain commands instructing the trojan to perform the following actions on the compromised computer:Download files Upload files Execute commands through the command prompt Get a list of processes running on the system Reboot the system Steal passwords Terminate processes Retrieve the RDP listening port number Additional information The trojan creates and deletes a number of files in the %Temp% directory during its execution, using them to store configuration data and other information gathered from the system by the trojan. The trojan may create the following files for this purpose:gnotes.dat pnotes.dat tgnotes.dat tpnotes.dat
Analysis by Amir FoudaLast update 12 March 2010