|
Tuesday, 17 January 2006 |
Trojan.Tabela.D is a Trojan horse program that steals email addresses from the compromised computer. The Trojan sends the stolen email addresses using HTTP to the gabyphoto.com domain.
Type: Trojan Horse
Infection Length: 5118 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Damage
Payload Trigger: n/a
Payload: Gathers email addresses and sends them to a remote computer.
Large scale e-mailing: n/a
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: n/a
Distribution
Subject of email: n/a
Name of attachment: n/a
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: n/a
Shared drives: n/a
Target of infection: n/a
When Trojan.Tabela.D is executed, it performs the following actions:
Creates the following registry subkey :
HKEY_CURRENT_USERSOFTWARE32235wr
Iterates through all logical drives to search for email addresses in files that have the following extensions:
..wab
.txt
.msg
.htm
.shtm
.stm
.xml
.dbx
.mbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.pl
.wsh
.adb
.tbb
.sht
.xls
.oft
.uin
.cgi
.mht
.dhtm
.jsp
The Trojan ignores email addresses that contain the following strings:
rating@
f-secur
This email address is being protected from spam bots, you need Javascript enabled to view it
news
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelab
winzip
google
winrar
samples
abuse
panda
cafee
spam
pgp
@avp.
noreply
local
root@
postmaster@
Sends the gathered email addresses to the domain gabyphoto.com using HTTP POST.
Deletes itself and exits.
To delete the value from the registry:
Navigate to and delete the following subkey:
HKEY_CURRENT_USERSOFTWARE32235wr
Exit the Registry Editor.
|
