Trojan.Androv

Printer Friendly Page

Discovered: November 07, 2003
Updated: November 08, 2003 2:57:44 PM
Systems Affected: Windows

Trojan.Androv is a trojan horse program that will transmit harvested system information of a compromised host to a Russian email account. The trojan is reportedly distributed via IRC.

Discovered: November 07, 2003
Updated: November 08, 2003 2:57:44 PM
Systems Affected: Windows

Trojan.Androv is a trojan horse program that will transmit harvested system information to a remote attacker.

It has been reported that this trojan is being distributed over IRC. It may be presented as the archive "komunist.zip" which contains an executable that has been reported to possess a name that varies.

The trojan may be discovered on a compromised system with one of the following filenames:
%System%\Komunist.exe
%System%\Msuser32.exe

When executed the trojan will create the following copy of itself:
%System%\Msuser32.exe

Next the trojan will create the following registry entry to hook system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"msuser32.exe"="msuser32.exe"

The trojan will then check for an active Internet connection to the compromised host by contacting "www.microsoft.com".

If an active Internet connection is found the trojan will connect to the following SMTP server:
smtp.mail.ru
And will transmit an encrypted email message that contains system information for example operating system version, registered user name, and organization name to a hardcoded email address.