Discovered: March 4, 2007
Updated: March 4, 2007 6:04:57 PM
Infection Length: 38796 Bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
It has been reported that Trojan.Mixpel may arrive in a spam email with an attachment named as one of the following:
Greeting Card.zip
postcard.zip
flash postcard.zip
Once executed, the Trojan creates the following file:
%System%\ms[5 RANDOM LETTERS].dll
It then attempts to download a file from [http://]krpb.ru/docs/F[REMOVED] and saves it as %Temp%\setup_x086.exe.
The Trojan then copies itself as the following files:
%Windir%\Help\rundll32.exe
%Windir%\Help\msremote.dll
%Windir%\Help\msw_a.dll
%Windir%\Help\msw_h.dll
%Windir%\Help\msw_k.dll
%Windir%\Help\msw_p.dll
%Windir%\Help\msw_n.exe
It also creates the following clean files:
%System%\setmsx.dat
%System%\dload.ini
%Windir%\Help\ihelp.dat
%Windir%\Help\msobj.hlp
%Windir%\Help\mshelp.log
%Windir%\Help\setmsx.dat
%Windir%\Help\sslog.txt
%Windir%\Help\mswhlp.dat
%System%\iepv_msw.exe
The Trojan then creates the following registry entries so that it is executed when Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\"MSRemote" = "{78839981-6447-1922-7868-541346117994}"
HKEY_CLASSES_ROOT\CLSID\{78839981-6447-1922-7868-541346117994}\InprocServer32\"{default}" = "C:\WINDOWS\Help\msremote.dll "
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\"MSHelper" = "{78839981-6447-1922-7868-541346117995}"
HKEY_CLASSES_ROOT\CLSID\{78839981-6447-1922-7868-541346117995}\InprocServer32\"{default}" = "C:\WINDOWS\Help\msw_p.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\"UrlMon" = "{17916831-3440-4891-6077-177038848182}"
HKEY_CLASSES_ROOT\CLSID\{17916831-3440-4891-6077-177038848182}\InprocServer32\"{default}" = "%System%\ms[5 RANDOM LETTERS].dll"
It then attempts to contact the following URLs with information about the compromised computer:
[http://]nmozebra.ru/language/English/styl[REMOVED]
[http://]fe40.masterhost.ru/language/English/styl[REMOVED]
[http://]whippetzuechter.de/our_dogs/_vti_log/log[REMOVED]
[http://]www.stepvoyage.ru/text/excursion/text/gate[REMOVED]
The Trojan attempts to harvest email addresses from files with the following extensions:
.txt
.tbb
.dbx
.wab
.msg
.htm
.shtm
.stm
.xml
.mbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.pl
.wsh
.adb
.sht
.xls
.doc
.oft
.uin
.cgi
.mht
.dhtm
.js
.rtf
.vbs
.tmp
The Trojan then logs key strokes in certain applications.
The Trojan will also attempt to steal passwords from the following sources:
Internet Explorer Cache
Windows Protected Storage
Outlook Cached Passwords
Firefox Profiles
Remote Access Connections
Writeup By: John Canavan
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine
