Trojan Dropper

The last day the S21sec ecrime team came across a new version of the already known Trojan Dropper variant, which counts to one of the most common Trojans found on infected machines.

The trojan installs a keylogger to sniff; and a BHO (Browser Helper Object) for Internet Explorer to be able to inject content into web pages. This content is defined in a configuration file which has drastically changed since the last version we looked at.

Now, the configuration file does not contain any external links to phishing pages anymore. So to injecting content into a web page, the local configuration is used and no external domains need to be contacted.


The actual version creates different files which can mostly found in the %System% folder (c:\windows\system32 in WinXP). The current .dll used as BHO is called jetaccs.dll and can be seen with HijackThis from Trendmicro.

Sniffed data is stored in %System%\alog.txt. After restarting the browser this file is send to the c&c server and gets deleted afterward.

Currently, 142 affected sites can be found in the config file. Interesting are also the following entries:

<nolog>google</nolog>
<nolog>msn</nolog>
<nolog>myspace</nolog>

A fast test confirmed the first guess, accounts from gmail don't get sniffed, whereas account data from e.g. gmx.net (not found in the configuration file) gets collected. The reason for this exclusion is not clear until now.

To manually disinfect a computer, HijackThis can be used to disable the BHO. %System%\jetaccs.dll has to be renamed and can be deleted after a reboot.

Clemens Kurtenbach
S21sec e-crime

Trojan Sinowal

Recently we did some research about the Trojan Sinowal (also known as Torpig). These days it is one of the most famous and common malware variants with the main objective to steel bank account information. A big difference to other Trojans is that the main infection is made into the MBR - thus making it more difficult for AV's to detect it. More information about the history and the way of infection can be found at the GMER website.

The main purpose is to steal bank account information in a professional manner. The config file which can be found in 'c:\windows\temp' showed that more than 1000 banks are affected.

Recent versions of the Sinowal Trojan hook functions in advapi32.dll, wininet.dll and crypt32.dll used by the Internet Explorer. Thus external code can be injected into the web content which is then presented to the user. In general the Sinowal Trojan checks for the requested pages in the browser, and depending on a match (e.g. a URL of a bank defined in the config) it loads additional content to inject from its own malware servers. The communication with these servers is made with encrypted POST/GET request to receive the content to inject. The collected and stolen account information is sent using SSL.

In order to find its servers the malware requests domain names based on a special algorithm. Thus an infected machine requests different domain names to find a host which is alive and can provide the requested data.

For a fast check and for disinfection of the Sinowal Trojan also GMER can be used.

Clemens Kurtenbach
S21sec labs