SpySentinel
2007-04-05, 23:08
Spybot should add this new threat for detection: Infostealer.Phax
When the Trojan is executed, it creates the following file:
%System%\wnvdsf.ax
Next, the Trojan creates the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VGADown
The Trojan also adds the following winsock service provider:
Name: MSAFD Tcpip [TCP/IP]
GUID: {D69BD79E-10DD-43A0-0028-5F1530000100}
The Trojan downloads the file server.exe from the following location:
hxxp...wxx.club8.tw/serve
The file server.exe then drops the following files:
* avp.exe
* hsvwer2.dll
The file avp.exe is installed as the following service:
VGADown
The file hsvwer2.dll is installed as a Layered Service Provider.
The Trojan may download a configuration file from the following location:
.fh689.com/gunfile/fileo
It may then download the file svch.exe from the following location:
.fh689.com/gunfile/svch
The file svch.exe drops the following files:
* lsass.exe
* md6media.dll
The file md6media.dll is installed as a Layered Service Provider.
The Trojan then targets several Taiwanese online gaming Web sites and games, including the following:
* tw.gamania.com (Taiwanese game Web site, which operates 19 online games)
* gameflier.com (Taiwanese game Web site, which operates 14 online games)
* Rexue Jianghu online
* Silkroad Online
* Rohan
The Trojan monitors Internet activity for the following strings:
* cardno
* cardanswer
* bankpass
* shoppass
* tradepass
* groupid
* grouppass
* user
* pass
* perpass
* username
* password
* gashpass
* gashid
* name
* personid
* birthday
* newgashpass
* passhint
* gameaccount
* newgamepass
It then gathers and sends sensitive information to a remote location.
When the Trojan is executed, it creates the following file:
%System%\wnvdsf.ax
Next, the Trojan creates the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VGADown
The Trojan also adds the following winsock service provider:
Name: MSAFD Tcpip [TCP/IP]
GUID: {D69BD79E-10DD-43A0-0028-5F1530000100}
The Trojan downloads the file server.exe from the following location:
hxxp...wxx.club8.tw/serve
The file server.exe then drops the following files:
* avp.exe
* hsvwer2.dll
The file avp.exe is installed as the following service:
VGADown
The file hsvwer2.dll is installed as a Layered Service Provider.
The Trojan may download a configuration file from the following location:
.fh689.com/gunfile/fileo
It may then download the file svch.exe from the following location:
.fh689.com/gunfile/svch
The file svch.exe drops the following files:
* lsass.exe
* md6media.dll
The file md6media.dll is installed as a Layered Service Provider.
The Trojan then targets several Taiwanese online gaming Web sites and games, including the following:
* tw.gamania.com (Taiwanese game Web site, which operates 19 online games)
* gameflier.com (Taiwanese game Web site, which operates 14 online games)
* Rexue Jianghu online
* Silkroad Online
* Rohan
The Trojan monitors Internet activity for the following strings:
* cardno
* cardanswer
* bankpass
* shoppass
* tradepass
* groupid
* grouppass
* user
* pass
* perpass
* username
* password
* gashpass
* gashid
* name
* personid
* birthday
* newgashpass
* passhint
* gameaccount
* newgamepass
It then gathers and sends sensitive information to a remote location.