Initial samples received on:
Feb 26, 2007
Memory resident: Yes
File size: 631,808 Bytes
Autostart and Installation
This spyware may arrive on a system as an attachment to spammed email messages.
Upon execution, it drops a copy of itself as ALERTER.EXE and its DLL component as SQLSERVER.DLL in the Windows folder. The said .DLL file, which is also detected by Trend Micro as TSPY_MAHA.F, is injected into several running processes found on the affected system.
It creates the following registry entry to ensure its automatic execution at every system start up:
Alerter = "%Windows%\alerter.exe"
(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
Other System Modifications
This spyware disables the Windows Firewall and Windows Firewall notification by creating the following registry entries:
DisableNotifications = "1"
EnableFirewall = "0"
This spyware monitors all user activities on the affected system. It also monitors running applications and logs keystrokes.
Furthermore, it steals information such as user names, passwords, account numbers, and installation information related to the following applications found on the system:
- Mirabilis ICQ
- Mozilla Firefox
- Paltalk Messenger
- Yahoo! Messenger
The gathered information is posted to a certain link where a malicious user can retrieve it. This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data.
This spyware runs on Windows 98, ME, NT, 2000, XP, and Server 2003.
Analysis by: Ricardo O. Pineda Jr.