Discovered: November 7, 2003
Updated: November 8, 2003 2:57:44 PM
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows 2000
Trojan.Androv is a trojan horse program that will transmit harvested system information to a remote attacker.
It has been reported that this trojan is being distributed over IRC. It may be presented as the archive "komunist.zip" which contains an executable that has been reported to possess a name that varies.
The trojan may be discovered on a compromised system with one of the following filenames:
%System%\Komunist.exe
%System%\Msuser32.exe
When executed the trojan will create the following copy of itself:
%System%\Msuser32.exe
Next the trojan will create the following registry entry to hook system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"msuser32.exe"="msuser32.exe"
The trojan will then check for an active Internet connection to the compromised host by contacting "www.microsoft.com".
If an active Internet connection is found the trojan will connect to the following SMTP server:
smtp.mail.ru
And will transmit an encrypted email message that contains system information for example operating system version, registered user name, and organization name to a hardcoded email address.
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine