GoFuckYourself.com - Adult Webmaster Forum - View Single Post

SABAI · 05-25-2003, 04:44 PM

The TROJ_WORTRON.10B Trojan generates Worm samples that it can easily modify. This worm uses Simple Mail Transfer Protocol (SMTP) commands in sending emails to recipients listed in the infected user's Windows Address Book. The email format depends on how the Trojan designs it. The subject field, message body, and attachment arrive in different text strings. The email format of every worm is different for every worm.

This worm may or may not execute the following:

Search HTML files for email addresses and send copies of itself.
Steals passwords that are sent to a certain email address. It may send a file containing key logs every system startup or once a day.
Terminate installed firewall products such as, "OUTPOST.EXE" and "ZONEALARM.EXE."
Displays a messagebox on the first execution of the worm on the infected system.
Upon execution, this worm installs itself on the system. It drops a WININET.EXE file in the Windows System directory. It then modifies the system registry so that WININET.EXE executes upon execution of an application file in the Windows environment. To do this, it modifies the data from ""%1" %*" into "%sysdir%\wininet.exe "%1" %*" in the default value of the following in the registry:

HKEY_CLASSES_ROOT\exefile\shell\open\command

HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\
shell\open\command

Thereafter, when the password stealing option is enabled, it creates an EXELIB.DLL file in the System directory, where possible passwords are contained. It sends EXELIB.DLL to a certain email address every system startup or once a day. The certain email address is pre-set when the worm was generated.
It then displays a message box, which the Trojan generates for the worm. This message box is also optional from the generation of the worm.

05-25-2003, 04:44 PM
SABAI Confirmed User Join Date: Jan 2001 Location: footmaniac.com Posts: 2,880	The TROJ_WORTRON.10B Trojan generates Worm samples that it can easily modify. This worm uses Simple Mail Transfer Protocol (SMTP) commands in sending emails to recipients listed in the infected user's Windows Address Book. The email format depends on how the Trojan designs it. The subject field, message body, and attachment arrive in different text strings. The email format of every worm is different for every worm. This worm may or may not execute the following: Search HTML files for email addresses and send copies of itself. Steals passwords that are sent to a certain email address. It may send a file containing key logs every system startup or once a day. Terminate installed firewall products such as, "OUTPOST.EXE" and "ZONEALARM.EXE." Displays a messagebox on the first execution of the worm on the infected system. Upon execution, this worm installs itself on the system. It drops a WININET.EXE file in the Windows System directory. It then modifies the system registry so that WININET.EXE executes upon execution of an application file in the Windows environment. To do this, it modifies the data from ""%1" %" into "%sysdir%\wininet.exe "%1" %" in the default value of the following in the registry: HKEY_CLASSES_ROOT\exefile\shell\open\command HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\ shell\open\command Thereafter, when the password stealing option is enabled, it creates an EXELIB.DLL file in the System directory, where possible passwords are contained. It sends EXELIB.DLL to a certain email address every system startup or once a day. The certain email address is pre-set when the worm was generated. It then displays a message box, which the Trojan generates for the worm. This message box is also optional from the generation of the worm. __________________