Español | English
rss facebook linkedin Twitter

Trojan Dropper

The last day the S21sec ecrime team came across a new version of the already known Trojan Dropper variant, which counts to one of the most common Trojans found on infected machines.

The trojan installs a keylogger to sniff; and a BHO (Browser Helper Object) for Internet Explorer to be able to inject content into web pages. This content is defined in a configuration file which has drastically changed since the last version we looked at.

Now, the configuration file does not contain any external links to phishing pages anymore. So to injecting content into a web page, the local configuration is used and no external domains need to be contacted.


The actual version creates different files which can mostly found in the %System% folder (c:\windows\system32 in WinXP). The current .dll used as BHO is called jetaccs.dll and can be seen with HijackThis from Trendmicro.

Sniffed data is stored in %System%\alog.txt. After restarting the browser this file is send to the c&c server and gets deleted afterward.





Currently, 142 affected sites can be found in the config file. Interesting are also the following entries:
<nolog>google</nolog>
<nolog>msn</nolog>
<nolog>myspace</nolog>
A fast test confirmed the first guess, accounts from gmail don't get sniffed, whereas account data from e.g. gmx.net (not found in the configuration file) gets collected. The reason for this exclusion is not clear until now.

To manually disinfect a computer, HijackThis can be used to disable the BHO. %System%\jetaccs.dll has to be renamed and can be deleted after a reboot.

Clemens Kurtenbach
S21sec e-crime

0 comentarios:


(+34 902 222 521)


24 hours a day, 7 days a week



© Copyright S21sec 2013 - All rights reserved


login