W32.Manifest.Trojan

Printer Friendly Page

Discovered: November 26, 2002
Updated: November 27, 2002 4:25:17 PM
Systems Affected: Windows

W32.Manifest.Trojan is a trojan program that installs an FTP and mail server on the compromised host. It also installs Internet monitoring software that records a user's online actions.

Discovered: November 26, 2002
Updated: November 27, 2002 4:25:17 PM
Systems Affected: Windows

W32.Manifest.Trojan is a trojan program that installs an FTP server, an email server, and a monitoring program on the compromised system. When the trojan is executed, it will create the following files in the %ProgramFiles%\Common Files\Services directory:
Wssdsu.exe
Wssdsup.exe
Wssdtu.exe
Wsys.exe
Wsys.dll
Bigfoot.bmp
Infospbz.bmp
Infospce.bmp
Swtchbrd.bmp
Verisign.bmp
Whowhere.bmp
Yahoo.bmp
Serv-u.ini
Starr.ini
Slog.sys

It then creates the following files in the Windows directory:
See32.dll
See32u.dll
See32z.dll

The Wwssdsu.exe file and all the *.bmp files are part of the Serv-U FTP application. This allows the compromised system to be used as an FTP server by remote users. The FTP server listens on TCP port 20 by default.

Wsys.exe, Wsys.dll, and Starr.ini are part of the iOpus STARR PC and Internet Monitoring application. This application records a user's online activity, including websites visited and keystrokes. This could allow a user's online usernames and passwords to be recorded.

See32.dll is an SMTP mail engine from MarshallSoft. See32u.dll and See32z.dll are part of a freeware zip and unzip utility.

The trojan then creates the following registry entries so that the installed services execute every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Software\Microsoft\Windows\CurrentVersion\Run\Enumerate Service C:\Program Files\Common Files\Services\wsys.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Software\Microsoft\Windows\CurrentVersion\Run\Folder Service C:\Program Files\Common Files\Services\wssdtu.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Software\Microsoft\Windows\CurrentVersion\RunServices\Serv-U C:\Program Files\Common Files\Services\wssdsu.exe

The trojan also makes an FTP connection to a web page at home.pi.be and uploads information gathered by the iOpus STARR PC and Internet Monitoring application.

This trojan has been seen distributed on the KaZaA P2P network as a video codec called XVID.