Backdoor.Nibu.D is a Trojan horse that attempts to steal passwords and bank account information.
Backdooor.Nibu.D could have originally been emailed containing the text below. This email attempts to exploit a vulnerability in Internet Explorer that allows for arbitrary code execution.
Definitions released prior to April 6, 2004 detect these email messages as Bloodhound.Exploit.6.
Subject: Receipt of Payment
Dear friend,
Thank you for your purchase!
This message is to inform you that your order has been received
and will be processed shortly.
Your account is being processed for $79.85, for a 3 month term.
You will receive an account setup confirmation within the next
24 hours with instructions on how to access your account.
If you have any questions regarding this invoice,
please feel free to contact us at <link blocked>.
We appreciate your business and look forward to a great relationship!
Thank You,
The Hashshanklin Team
ORDER SUMMARY
-------------
Web Hosting............. $29.85
Setup................... $30.00
Domain Registration..... $20.00
Sales Date.............. 04/04/2004
Domain.................. sexigerl.com
Total Price............. $79.85
Card Type............... Visa
Another variation of this email refers to "The Tekriter.com Team." It does not use the Bloodhound.Exploit.6 exploit, but clicking the link in the email causes the Trojan to be installed as follows:
- The link points to a Web site with an embedded object tag, containing a link to 2.php.
- 2.php is a .html file containing VBScript commands to drop and execute the file, rtq.vbs.
- Rtq.vbs uses the ADODB stream objects vulnerability to download and execute a file titled ukam.gif. (This file is an executable, not a .gif image.) It is saved as svchostss.exe.
- Svchostss.exe downloads and installs Backdoor.Nibu.D.
Click for a more detailed description of Rapid Release and Daily Certified virus definitions.
