A bit details:
TROJ_DUMARIN.H
Backdoor.Nibu.G is a variant of Backdoor.Nibu.E that attempts to steal passwords and bank account information. This Trojan is packed with FSG.
Overview Technical Details
In the wild: Yes
--------------------------------------------------------------------------------
Payload 1: Steals system and user information
Trigger condition 1: Upon execution
--------------------------------------------------------------------------------
Language: English
Platform: 95, 98, ME, NT, 2000, XP
Encrypted: Yes
Size of virus: 21,088 Bytes
Pattern file needed: 1.904.36
Scan engine needed: 6.740
Discovered: Jun. 2, 2004
Detection available: Jun. 2, 2004
--------------------------------------------------------------------------------
Details:
Installation and Autostart Technique
Upon execution, this memory-resident Trojan drops the following copies of itself in the Windows system folder:
SVOHOST.EXE
SWCHOST.EXE
It also drops the following files in the Windows startup and Windows folders, respectively:
SVCHOST.EXE - a copy of itself
PRNTSVR.DLL - a keylogger component file, which is detected as TROJ_DUMARIN.G
Then, it creates the following registry entry so that it executes at every system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
load32 = "C:\WINNT\System32\swchost.exe"
As part of its autostart mechanism, it modifies the SYSTEM.INI and appends its name in the shell key of the boot section as follows:
[boot]
shell=explorer.exe %s\System%\svohost.exe
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.)
On Windows NT, 2000, and XP, however, the .INI file is not modified. The following registry entry is changed instead:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows NT\Currentversion\Winlogon
Shell = “explorer.exe %System%\svohost.exe�
(Note: The original value is “explorer.exe�.)
Information Theft
This malware creates the following files in the Windows Temporary folder:
FA4537EF.HTM
FE43E701.HTM
FEFF35A0.HTM
The said files contain the following information, which it posts to a specific site:
Internet Explorer (IE) version
IP address of an infected machine
Windows version
The site is as follows:
*www.whatp<BLOCKED>osite.com/css/logger.php
It then drops the file RUNDLLN.SYS, which serves as its log file, in the Windows folder.
It also gathers account information of any online transaction made through WEBMONEY and E-GOLD.
Disabling Access to Antivirus Web Sites
To prevent a user from upgrading antivirus pattern files, this Trojan adds entries to the HOSTS file of the infected system. The said routine redirects the Internet browser to the local machine 127.0.0.1 whenever the following Web sites are accessed:
avp.com
ca.com
customer.symantec.com
dispatch.mcafee.com
download.mcafee.com
f-secure.com
kaspersky.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
my-etrust.com
nai.com
networkassociates.com
rads.mcafee.com
secure.nai.com
securityresponse.symantec.com
sophos.com
symantec.com
trendmicro.com
update.symantec.com
updates.symantec.com
us.mcafee.com
viruslist.com
www.avp.com
www.ca.com
www.f-secure.com
www.kaspersky.com
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
