TROJ_DROPPER.BFU

Malware type: Trojan

Aliases: Trojan-Spy.Win32.Bancos.sb (Kaspersky), PWS-Banker (McAfee), Infostealer.Bancos (Symantec), DR/Spy.Bancos.SB (Avira), Troj/Bancos-APS (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

Low

Description: 

To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Behavior Diagram shown below.

TROJ_DROPPER.BFU Behavior Diagram

Malware Overview

This Trojan arrives on a system as a file dropped or downloaded by other malware. When executed, it drops a copy of itself as WARTSRV.EXE in the Windows system folder.

This Trojan is capable of downloading and executing other malware on the system. As a result, the routines of the related malware are exhibited on the affected machine.

In addition, it downloads and executes a file named SEVLOCAL2.EXE, which is detected by Trend Micro as TSPY_FLECSIP.O, from a certain URL.

This Trojan has the ability to change the start page of the affected system's Internet Explorer. It can also modify the system's HOSTS file. The said routine is done to prevent affected users from accessing certain Web sites. Upon clicking on the said Web sites, users are instead redirected to the local machine.

For additional information about this threat, see:

Description created: Jun. 22, 2006 8:00:56 AM GMT -0800


TECHNICAL DETAILS


File type: PE

Memory resident:  No

Size of malware: 81,506 Bytes (uncompressed)

Initial samples received on: Jun 21, 2006

Payload 1: Downloads files

Payload 2: Changes start page of Internet Explorer

Payload 3: Modifies HOSTS file

Details:

Installation and Autostart Routine

This Trojan arrives on a system as a file dropped or downloaded by other malware.

Upon execution, it drops a copy of itself as WARTSRV.EXE in the Windows system folder.

It creates the following registry entry to ensure its automatic execution at every Windows startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
useful-soft = "%System%\wartsrv.exe"

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Registry Modification

This Trojan changes the start page of the affected system's Internet Explorer by modifying the following registry entry:

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Start Page = "http://www.t{BLOCKED}ngb.com"

(Note: The value data for the abovementioned registry entry is user-defined.)

Download Routine

This Trojan is capable of downloading and executing other malware on the system. As a result, the routines of the related malware are exhibited on the affected machine.

It also downloads and executes a file named SEVLOCAL2.EXE, which is detected by Trend Micro as TSPY_FLECSIP.O, from the following URL:

    http://ns192{BLOCKED}8-ip255.net/tro/COUNTER.EXE

HOSTS File Modification

This Trojan also modifies the system's HOSTS file, which is often located in the following folders:

  • %Windows%
  • %System%\drivers\etc

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

The said routine is done to prevent affected users from accessing Web sites related to certain categories, as follows:

Security and Antivirus Web sites

  • avp.com
  • ca.com
  • customer.symantec.com
  • dispatch.mcafee.com
  • download.mcafee.com
  • f-secure.com
  • kaspersky.com
  • liveupdate.symantec.com
  • liveupdate.symantecliveupdate.com
  • mast.mcafee.com
  • mcafee.com
  • my-etrust.com
  • nai.com
  • networkassociates.com
  • rads.mcafee.com
  • secure.nai.com
  • securityresponse.symantec.com
  • sophos.com
  • symantec.com
  • trendmicro.com
  • update.symantec.com
  • updates.symantec.com
  • us.mcafee.com
  • us.mcafee.com/root/
  • viruslist.com
  • www.avp.com
  • www.ca.com
  • www.f-secure.com
  • www.kaspersky.com
  • www.mcafee.com
  • www.my-etrust.com
  • www.nai.com
  • www.networkassociates.com
  • www.sophos.com
  • www.symantec.com
  • www.viruslist.com

Other Web sites

  • 126.com
  • 163.com
  • 1ting.com
  • 265.com
  • 4399.com
  • 51.la
  • 51job.com
  • 540.filost.com
  • 5460.net
  • 6arab.com
  • 888.com
  • 99bb.com
  • a.tribalfusion.com
  • a8.net
  • accoona.com
  • ad.doubleclick.net
  • ad.yieldmanager.com
  • ad4.sina.com.cn
  • adclient.163.com
  • adfarm.mediaplex.com
  • admin.biz178.com
  • adopt.hotbar.com
  • ads1.revenue.net
  • adsina.allyes.com
  • adsview.qq.com
  • adtaobao.allyes.com
  • advnt01.com
  • aftonbladet.se
  • ahram.org.eg
  • aimtoday.aol.com
  • aljazeera.net
  • allabout.co.jp
  • alogin.linksynergy.com
  • altavista.com
  • alumni.163.com
  • alumni.chinaren.com
  • amazon.co.jp
  • amazon.co.uk
  • amazon.com
  • amazon.de
  • answers.com
  • apnews.myway.com
  • appledaily.atnext.com
  • ar.atwola.com
  • as.starware.com
  • asahi.com
  • as-eu.falkag.net
  • assistant.3721.com
  • astro.sina.com.cn
  • as-us.falkag.net
  • auction.co.kr
  • auction1.taobao.com
  • auctions.yahoo.co.jp
  • auctions.yahoo.com
  • auto.sina.com.cn
  • avl.com.cn
  • ax.xrea.com
  • b2b.hc360.com
  • babelfish.altavista.com
  • baidu.com
  • bankofamerica.com
  • barbie.everythinggirl.com
  • bbc.co.uk
  • bbc.co.uk
  • bbc.com
  • bbs.china.com
  • bestbuy.com
  • bet.hkjc.com
  • bid.yahoo.com
  • bidtool.overture.com
  • big-boys.com
  • bizrate.com
  • blockbuster.com
  • blocket.se
  • blog.goo.ne.jp
  • blog.livedoor.com
  • blog.livedoor.jp
  • blogchina.com
  • blogcn.com
  • blogger.com
  • book.sina.com.cn
  • boston.com
  • cache.trafficmp.com
  • cafe.daum.net
  • cafepress.com
  • caishow.com
  • capitalone.com
  • careerbuilder.com
  • cartoonnetwork.com
  • casalemedia.com
  • cctv.com
  • centralmedia.ws
  • cgi.ebay.co.uk
  • cgi.ebay.com
  • cgi.ebay.com.cn
  • cgi.ebay.de
  • channel.aol.com
  • china.alibaba.com
  • chinabbs.com
  • cingular.com
  • circuitcity.com
  • classmates.com
  • classpic.chinaren.com
  • clk.atdmt.com
  • club.chinaren.com
  • club.yahoo.com
  • cmfu.com
  • cn.alibaba.com
  • cn.yimg.com
  • cnn.com
  • cns.3721.com
  • comcast.net
  • community.webshots.com
  • content.overture.com
  • coolmanmusic.com
  • count.exitexchange.com
  • cpc.sogou.com
  • craigslist.org
  • cul.sina.com.cn
  • cy.51sobu.com
  • cyworld.nate.com
  • d.hatena.ne.jp
  • d.sogou.com
  • dailynews.yahoo.co.jp
  • dangdang.com
  • daum.net
  • diary.showhappy.net
  • dictionary.reference.com
  • dir.sogou.com
  • dir.yahoo.com
  • discuss.com.hk
  • disney.go.com
  • dist.belnk.com
  • dmoz.org
  • dnsc.yisou.com
  • download.com
  • drudgereport.com
  • dzh.mop.com
  • ebaumsworld.com
  • ebay.com
  • ebay.doubleclick.net
  • edit.yahoo.com
  • edition.cnn.com
  • eladies.sina.com.cn
  • elmundo.es
  • email.excite.com
  • email.myway.com
  • email.wanadoo.co.uk
  • en.wikipedia.org
  • enet.com.cn
  • ent.163.com
  • ent.qq.com
  • ent.sina.com.cn
  • ent.tom.com
  • entertainment.msn.com
  • esi.weatherbug.com
  • espn.go.com
  • evite.com
  • excite.co.jp
  • expedia.com
  • fantasysports.yahoo.com
  • feedback.ebay.com
  • filost.com
  • finance.sina.com.cn
  • finance.yahoo.com
  • flickr.com
  • forbes.com
  • fotolog.net
  • foxnews.com
  • freepornofreeporn.com
  • freewebs.com
  • freexxxvideoclip.aebn.net
  • friendster.com
  • froogle.google.com
  • g.msn.com
  • galleries.videosz.com
  • games.enet.com.cn
  • games.sina.com.cn
  • games.yahoo.com
  • gamespot.com
  • gamezone.qq.com
  • gd.chinavnet.com
  • geocities.co.jp
  • geocities.jp
  • gmail.google.com
  • gmarket.co.kr
  • gmx.net
  • google.ae
  • google.be
  • google.ca
  • google.ch
  • google.co.il
  • google.co.in
  • google.co.jp
  • google.co.uk
  • google.co.ve
  • google.com
  • google.com.ar
  • google.com.au
  • google.com.br
  • google.com.gr
  • google.com.hk
  • google.com.mx
  • google.com.sa
  • google.com.tr
  • google.com.tw
  • google.de
  • google.dk
  • google.es
  • google.fr
  • google.it
  • google.nl
  • google.se
  • googlesyndication.com
  • gooooal.com
  • groups.yahoo.com
  • groups-beta.google.com
  • guardian.co.uk
  • hao123.com
  • hbmediapro.com
  • headlines.yahoo.co.jp
  • help.internet-optimizer.com
  • hi5.com
  • hk.yahoo.com
  • hkflash.com
  • hkjc.com
  • hkjcfootball.com
  • home.bellsouth.net
  • home.myspace.com
  • hompy.buddybuddy.co.kr
  • hotbar.com
  • hotels.com
  • hotjobs.yahoo.com
  • hotmail.msn.com
  • house.focus.cn
  • house.sina.com.cn
  • hurriyetim.com.tr
  • hz.bbvod.net
  • iebar.t2t2.com
  • ikea.com
  • im.qq.com
  • image.baidu.com
  • image73.eguard.com
  • images.google.ca
  • images.google.co.uk
  • images.google.com
  • images.google.com.sa
  • images.google.com.tr
  • images.google.de
  • images.google.fr
  • images.trafficmp.com
  • imdb.com
  • in.gr
  • inventory.overture.com
  • iplus.allyes.com
  • jobsdb.com
  • jobsearch.monster.com
  • joke.qq.com
  • jr.naver.com
  • kart.nexon.com
  • keyrun.com
  • kids.yahoo.com
  • kinghost.com
  • kingsoft.com
  • kodakgallery.com
  • lady.163.com
  • latam.msn.com
  • launch.yahoo.com
  • lib.verycd.com
  • list.taobao.com
  • listings.ebay.com
  • listings.ebay.com.cn
  • livejournal.com
  • login.yahoo.com
  • love.qq.com
  • lp.zango.com
  • macau.sina.com
  • macromedia.com
  • mage.yisou.com
  • mail.163.com
  • mail.google.com
  • mail.lycos.com
  • mail.myspace.com
  • mail.sina.com.cn
  • mail.tom.com
  • mail.yahoo.co.jp
  • mail.yahoo.com
  • mail2web.com
  • mailcenter.comcast.net
  • mailcenter2.comcast.net
  • mainichi-msn.co.jp
  • mapquest.com
  • maps.google.com
  • marketwatch.com
  • match.com
  • media.daum.net
  • members.msn.com
  • messages.yahoo.co.jp
  • messages.yahoo.com
  • messenger.msn.com
  • military.china.com
  • milliyet.com.tr
  • mimg.163.com
  • miniclip.com
  • mixi.jp
  • mlb.mlb.com
  • money.cnn.com
  • moneycentral.msn.com
  • movies.yahoo.com
  • mp3.baidu.com
  • msn.allyes.com
  • msn.co.jp
  • msn.co.uk
  • msn.com
  • msn.com.br
  • msn.com.cn
  • msn.com.hk
  • msn.com.tw
  • msn.es
  • msn.foxsports.com
  • msn.fr
  • msn.nl
  • msn.se
  • msn.ynet.com
  • msnbc.msn.com
  • msxml.infospace.com
  • mtv.com
  • multimap.com
  • music.yahoo.com
  • music.yisou.com
  • m-w.com
  • my.ebay.com
  • my.yahoo.com
  • my3.statcounter.com
  • mysearch.myway.com
  • mysinamail.sina.com.hk
  • myspace.com
  • myweb.hinet.net
  • mywebsearch.com
  • name.cnnic.net.cn
  • nba.com
  • neopets.com
  • netflix.com
  • netmarble.net
  • net-offers.net
  • netvenda.com
  • news.163.com
  • news.baidu.com
  • news.bbc.co.uk
  • news.bbc.co.uk
  • news.china.com
  • news.com.com
  • news.google.com
  • news.naver.com
  • news.qq.com
  • news.sina.com.cn
  • news.tom.com
  • news.xinhuanet.com
  • news.yahoo.com
  • newyork.craigslist
  • nexon.com
  • nextag.com
  • nifty.com
  • nikkansports.com
  • nikkei.co.jp
  • ninemsn.com.au
  • nytimes.com
  • oas-central.realmedia.com
  • ocn.ne.jp
  • offer.ebay.com
  • oingo.com
  • onlinedown.net
  • orbitz.com
  • orkut.com
  • overstock.com
  • overture.com
  • page-not-found.net
  • paypal.com
  • paypopup.com
  • pconline.com.cn
  • people.aol.com
  • people.com.cn
  • personals.yahoo.com
  • pfp.sina.com.cn
  • phoenixtv.com
  • photo.163.com
  • photo.pchome.com.tw
  • photo.qq.com
  • photobucket.com
  • photos.yahoo.com
  • pic.sina.com.cn
  • plala.or.jp
  • plaza.rakuten.co.jp
  • pmang.sayclub.com
  • popme.163.com
  • post.baidu.com
  • profiles.yahoo.com
  • pword.com
  • qq.com
  • qqshow.qq.com
  • rad.msn.com
  • ragingbull.lycos.com
  • rakuten.co.jp
  • rd.yahoo.com
  • real.com
  • realtor.com
  • reg.163.com
  • reg4.163.com
  • results.searchscout.com
  • reuters.com
  • reverse.theplanet.com
  • reviews.cnet.com
  • rr.com
  • screenname.aol.com
  • screensavers.com
  • search.aol.com
  • search.biglobe.ne.jp
  • search.daum.net
  • search.ebay.co.uk
  • search.ebay.com
  • search.jword.jp
  • search.msn.co.jp
  • search.msn.co.uk
  • search.msn.com
  • search.msn.com.br
  • search.msn.com.tw
  • search.msn.es
  • search.naver.com
  • search.yahoo.co.jp
  • search.yahoo.com
  • search1.taobao.com
  • sears.com
  • seek.3721.com
  • seeq.com
  • shanda.allyes.com
  • shopping.com
  • sina.com
  • sina.com.cn
  • skycn.com
  • skype.com
  • smarttrade.allyes.com
  • sms.3721.com
  • sms.ac
  • so.163.com
  • so.qq.com
  • sogou.com
  • so-net.ne.jp
  • sonnerie.net
  • southwest.com
  • spaces.msn.com
  • spiegel.de
  • sports.163.com
  • sports.sina.com.cn
  • sports.tom.com
  • sports.yahoo.com
  • sportsillustrated.cnn.com
  • start.earthlink.net
  • startpage.aol.com
  • stock.yahoo.com
  • store.yahoo.com
  • store1.yimg.com
  • stores.ebay.com
  • sympatico.msn.ca
  • t.trafficmp.com
  • t1msn.com.mx
  • tadsweb.tencent.com
  • taobao.com
  • target.com
  • tech.sina.com.cn
  • thesaurus.reference.com
  • tianyaclub.com
  • ticketmaster.com
  • tigerdirect.com
  • tjcq2.com
  • tl.a8.com
  • tradedoubler.com
  • travel.travelocity.com
  • tribalfusion.com
  • tripadvisor.com
  • udn.com
  • ui.constantcontact.com
  • uk.doubleclick.net
  • union.163.com
  • union.3721.com
  • union.narrowad.com
  • union.sogou.com
  • union07.narrowad.com
  • update.downloadv3.com
  • upp.so-net.ne.jp
  • ups.com
  • usatoday.com
  • usps.com
  • v.21cn.com
  • view.atdmt.com
  • viewmorepics.myspace.com
  • virustotal.com
  • vnexpress.net
  • walmart.com
  • wanadoo.co.uk
  • wanadoo.fr
  • watch.impress.co.jp
  • weather.com
  • web.archive.org
  • web.ask.com
  • web.tickle.com
  • webmail.aol.com
  • webmail.att.net
  • webmail.bellsouth.net
  • webmasterworld.com
  • webshots.com
  • wenxuecity.com
  • whitepages.com
  • whois.sc
  • wp.pl
  • wretch.cc
  • wrs.yahoo.com
  • www.126.com
  • www.163.com
  • www.1ting.com
  • www.265.com
  • www.4399.com
  • www.51.la
  • www.51job.com
  • www.540.filost.com
  • www.5460.net
  • www.6arab.com
  • www.888.com
  • www.99bb.com
  • www.a.tribalfusion.com
  • www.a8.net
  • www.accoona.com
  • www.ad.doubleclick.net
  • www.ad.yieldmanager.com
  • www.ad4.sina.com.cn
  • www.adclient.163.com
  • www.adfarm.mediaplex.com
  • www.admin.biz178.com
  • www.adopt.hotbar.com
  • www.ads1.revenue.net
  • www.adsina.allyes.com
  • www.adsview.qq.com
  • www.adtaobao.allyes.com
  • www.advnt01.com
  • www.aftonbladet.se
  • www.ahram.org.eg
  • www.aimtoday.aol.com
  • www.aljazeera.net
  • www.allabout.co.jp
  • www.alogin.linksynergy.com
  • www.altavista.com
  • www.alumni.163.com
  • www.alumni.chinaren.com
  • www.amazon.co.jp
  • www.amazon.co.uk
  • www.amazon.com
  • www.amazon.de
  • www.answers.com
  • www.apnews.myway.com
  • www.appledaily.atnext.com
  • www.ar.atwola.com
  • www.as.starware.com
  • www.asahi.com
  • www.as-eu.falkag.net
  • www.assistant.3721.com
  • www.astro.sina.com.cn
  • www.as-us.falkag.net
  • www.auction.co.kr
  • www.auction1.taobao.com
  • www.auctions.yahoo.co.jp
  • www.auctions.yahoo.com
  • www.auto.sina.com.cn
  • www.avl.com.cn
  • www.ax.xrea.com
  • www.b2b.hc360.com
  • www.babelfish.altavista.com
  • www.baidu.com
  • www.bankofamerica.com
  • www.barbie.everythinggirl.com
  • www.bbc.co.uk
  • www.bbs.china.com
  • www.bestbuy.com
  • www.bet.hkjc.com
  • www.bid.yahoo.com
  • www.bidtool.overture.com
  • www.big-boys.com
  • www.bizrate.com
  • www.blockbuster.com
  • www.blocket.se
  • www.blog.goo.ne.jp
  • www.blog.livedoor.com
  • www.blog.livedoor.jp
  • www.blogchina.com
  • www.blogcn.com
  • www.blogger.com
  • www.book.sina.com.cn
  • www.boston.com
  • www.cache.trafficmp.com
  • www.cafe.daum.net
  • www.cafepress.com
  • www.caishow.com
  • www.capitalone.com
  • www.careerbuilder.com
  • www.cartoonnetwork.com
  • www.casalemedia.com
  • www.cctv.com
  • www.centralmedia.ws
  • www.cgi.ebay.co.uk
  • www.cgi.ebay.com
  • www.cgi.ebay.com.cn
  • www.cgi.ebay.de
  • www.channel.aol.com
  • www.china.alibaba.com
  • www.chinabbs.com
  • www.cingular.com
  • www.circuitcity.com
  • www.classmates.com
  • www.classpic.chinaren.com
  • www.clk.atdmt.com
  • www.club.chinaren.com
  • www.club.yahoo.com
  • www.cmfu.com
  • www.cn.alibaba.com
  • www.cn.yimg.com
  • www.cnn.com
  • www.cns.3721.com
  • www.comcast.net
  • www.community.webshots.com
  • www.content.overture.com
  • www.coolmanmusic.com
  • www.count.exitexchange.com
  • www.cpc.sogou.com
  • www.craigslist.org
  • www.cul.sina.com.cn
  • www.cy.51sobu.com
  • www.cyworld.nate.com
  • www.d.hatena.ne.jp
  • www.d.sogou.com
  • www.dailynews.yahoo.co.jp
  • www.dangdang.com
  • www.daum.net
  • www.diary.showhappy.net
  • www.dictionary.reference.com
  • www.dir.sogou.com
  • www.dir.yahoo.com
  • www.discuss.com.hk
  • www.disney.go.com
  • www.dist.belnk.com
  • www.dmoz.org
  • www.dnsc.yisou.com
  • www.download.com
  • www.drudgereport.com
  • www.dzh.mop.com
  • www.ebaumsworld.com
  • www.ebay.com
  • www.ebay.doubleclick.net
  • www.edit.yahoo.com
  • www.edition.cnn.com
  • www.eladies.sina.com.cn
  • www.elmundo.es
  • www.email.excite.com
  • www.email.myway.com
  • www.en.wikipedia.org
  • www.enet.com.cn
  • www.ent.163.com
  • www.ent.qq.com
  • www.ent.sina.com.cn
  • www.ent.tom.com
  • www.entertainment.msn.com
  • www.esi.weatherbug.com
  • www.espn.go.com
  • www.evite.com
  • www.excite.co.jp
  • www.expedia.com
  • www.fantasysports.yahoo.com
  • www.feedback.ebay.com
  • www.filost.com
  • www.finance.sina.com.cn
  • www.finance.yahoo.com
  • www.flickr.com
  • www.forbes.com
  • www.fotolog.net
  • www.foxnews.com
  • www.freepornofreeporn.com
  • www.freewebs.com
  • www.freexxxvideoclip.aebn.net
  • www.friendster.com
  • www.froogle.google.com
  • www.g.msn.com
  • www.galleries.videosz.com
  • www.games.enet.com.cn
  • www.games.sina.com.cn
  • www.games.yahoo.com
  • www.gamespot.com
  • www.gamezone.qq.com
  • www.gd.chinavnet.com
  • www.geocities.co.jp
  • www.geocities.jp
  • www.gmail.google.com
  • www.gmarket.co.kr
  • www.gmx.net
  • www.google.ae
  • www.google.be
  • www.google.ca
  • www.google.ch
  • www.google.co.il
  • www.google.co.in
  • www.google.co.jp
  • www.google.co.uk
  • www.google.co.ve
  • www.google.com
  • www.google.com.ar
  • www.google.com.au
  • www.google.com.br
  • www.google.com.gr
  • www.google.com.hk
  • www.google.com.mx
  • www.google.com.sa
  • www.google.com.tr
  • www.google.com.tw
  • www.google.de
  • www.google.dk
  • www.google.es
  • www.google.fr
  • www.google.it
  • www.google.nl
  • www.google.se
  • www.googlesyndication.com
  • www.gooooal.com
  • www.groups.yahoo.com
  • www.groups-beta.google.com
  • www.guardian.co.uk
  • www.hao123.com
  • www.hbmediapro.com
  • www.headlines.yahoo.co.jp
  • www.help.internet-optimizer.com
  • www.hi5.com
  • www.hk.yahoo.com
  • www.hkflash.com
  • www.hkjc.com
  • www.hkjcfootball.com
  • www.home.bellsouth.net
  • www.home.myspace.com
  • www.hompy.buddybuddy.co.kr
  • www.hotbar.com
  • www.hotels.com
  • www.hotjobs.yahoo.com
  • www.hotmail.msn.com
  • www.house.focus.cn
  • www.house.sina.com.cn
  • www.hurriyetim.com.tr
  • www.hz.bbvod.net
  • www.iebar.t2t2.com
  • www.ikea.com
  • www.im.qq.com
  • www.image.baidu.com
  • www.image73.eguard.com
  • www.images.google.ca
  • www.images.google.co.uk
  • www.images.google.com
  • www.images.google.com.sa
  • www.images.google.com.tr
  • www.images.google.de
  • www.images.google.fr
  • www.images.trafficmp.com
  • www.imdb.com
  • www.in.gr
  • www.inventory.overture.com
  • www.iplus.allyes.com
  • www.jobsdb.com
  • www.jobsearch.monster.com
  • www.joke.qq.com
  • www.jr.naver.com
  • www.kart.nexon.com
  • www.keyrun.com
  • www.kids.yahoo.com
  • www.kinghost.com
  • www.kingsoft.com
  • www.kodakgallery.com
  • www.lady.163.com
  • www.latam.msn.com
  • www.launch.yahoo.com
  • www.lib.verycd.com
  • www.list.taobao.com
  • www.listings.ebay.com
  • www.listings.ebay.com.cn
  • www.livejournal.com
  • www.login.yahoo.com
  • www.love.qq.com
  • www.lp.zango.com
  • www.macau.sina.com
  • www.macromedia.com
  • www.mage.yisou.com
  • www.mail.163.com
  • www.mail.google.com
  • www.mail.lycos.com
  • www.mail.myspace.com
  • www.mail.sina.com.cn
  • www.mail.tom.com
  • www.mail.yahoo.co.jp
  • www.mail.yahoo.com
  • www.mail2web.com
  • www.mailcenter.comcast.net
  • www.mailcenter2.comcast.net
  • www.mainichi-msn.co.jp
  • www.mapquest.com
  • www.maps.google.com
  • www.marketwatch.com
  • www.match.com
  • www.media.daum.net
  • www.members.msn.com
  • www.messages.yahoo.co.jp
  • www.messages.yahoo.com
  • www.messenger.msn.com
  • www.military.china.com
  • www.milliyet.com.tr
  • www.mimg.163.com
  • www.miniclip.com
  • www.mixi.jp
  • www.mlb.mlb.com
  • www.money.cnn.com
  • www.moneycentral.msn.com
  • www.movies.yahoo.com
  • www.mp3.baidu.com
  • www.msn.allyes.com
  • www.msn.co.jp
  • www.msn.co.uk
  • www.msn.com
  • www.msn.com.br
  • www.msn.com.cn
  • www.msn.com.hk
  • www.msn.com.tw
  • www.msn.es
  • www.msn.foxsports.com
  • www.msn.fr
  • www.msn.nl
  • www.msn.se
  • www.msn.ynet.com
  • www.msnbc.msn.com
  • www.msxml.infospace.com
  • www.mtv.com
  • www.multimap.com
  • www.music.yahoo.com
  • www.music.yisou.com
  • www.m-w.com
  • www.my.ebay.com
  • www.my.yahoo.com
  • www.my3.statcounter.com
  • www.mysearch.myway.com
  • www.mysinamail.sina.com.hk
  • www.myspace.com
  • www.myweb.hinet.net
  • www.mywebsearch.com
  • www.name.cnnic.net.cn
  • www.nba.com
  • www.neopets.com
  • www.net.cn
  • www.netflix.com
  • www.netmarble.net
  • www.net-offers.net
  • www.netvenda.com
  • www.news.163.com
  • www.news.baidu.com
  • www.news.bbc.co.uk
  • www.news.china.com
  • www.news.com.com
  • www.news.google.com
  • www.news.naver.com
  • www.news.qq.com
  • www.news.sina.com.cn
  • www.news.tom.com
  • www.news.xinhuanet.com
  • www.news.yahoo.com
  • www.newyork.craigslist
  • www.nexon.com
  • www.nextag.com
  • www.nifty.com
  • www.nikkansports.com
  • www.nikkei.co.jp
  • www.ninemsn.com.au
  • www.nytimes.com
  • www.oas-central.realmedia.com
  • www.ocn.ne.jp
  • www.offer.ebay.com
  • www.oingo.com
  • www.onlinedown.net
  • www.orbitz.com
  • www.orkut.com
  • www.overstock.com
  • www.overture.com
  • www.page-not-found.net
  • www.paypal.com
  • www.paypopup.com
  • www.pconline.com.cn
  • www.people.aol.com
  • www.people.com.cn
  • www.personals.yahoo.com
  • www.pfp.sina.com.cn
  • www.phoenixtv.com
  • www.photo.163.com
  • www.photo.pchome.com.tw
  • www.photo.qq.com
  • www.photobucket.com
  • www.photos.yahoo.com
  • www.pic.sina.com.cn
  • www.plala.or.jp
  • www.plaza.rakuten.co.jp
  • www.pmang.sayclub.com
  • www.popme.163.com
  • www.post.baidu.com
  • www.profiles.yahoo.com
  • www.pword.com
  • www.qq.com
  • www.qqshow.qq.com
  • www.rad.msn.com
  • www.ragingbull.lycos.com
  • www.rakuten.co.jp
  • www.rd.yahoo.com
  • www.real.com
  • www.realtor.com
  • www.reg.163.com
  • www.reg4.163.com
  • www.results.searchscout.com
  • www.reuters.com
  • www.reverse.theplanet.com
  • www.reviews.cnet.com
  • www.rr.com
  • www.screenname.aol.com
  • www.screensavers.com
  • www.search.aol.com
  • www.search.biglobe.ne.jp
  • www.search.daum.net
  • www.search.ebay.co.uk
  • www.search.ebay.com
  • www.search.jword.jp
  • www.search.msn.co.jp
  • www.search.msn.co.uk
  • www.search.msn.com
  • www.search.msn.com.br
  • www.search.msn.com.tw
  • www.search.msn.es
  • www.search.naver.com
  • www.search.yahoo.co.jp
  • www.search.yahoo.com
  • www.search1.taobao.com
  • www.sears.com
  • www.seek.3721.com
  • www.seeq.com
  • www.shanda.allyes.com
  • www.shopping.com
  • www.sina.com
  • www.sina.com.cn
  • www.skycn.com
  • www.skype.com
  • www.smarttrade.allyes.com
  • www.sms.3721.com
  • www.sms.ac
  • www.so.163.com
  • www.so.qq.com
  • www.sogou.com
  • www.so-net.ne.jp
  • www.sonnerie.net
  • www.southwest.com
  • www.spaces.msn.com
  • www.spiegel.de
  • www.sports.163.com
  • www.sports.sina.com.cn
  • www.sports.tom.com
  • www.sports.yahoo.com
  • www.sportsillustrated.cnn.com
  • www.start.earthlink.net
  • www.startpage.aol.com
  • www.stock.yahoo.com
  • www.store.yahoo.com
  • www.store1.yimg.com
  • www.stores.ebay.com
  • www.sympatico.msn.ca
  • www.t.trafficmp.com
  • www.t1msn.com.mx
  • www.tadsweb.tencent.com
  • www.taobao.com
  • www.target.com
  • www.tech.sina.com.cn
  • www.thesaurus.reference.com
  • www.tianyaclub.com
  • www.ticketmaster.com
  • www.tigerdirect.com
  • www.tjcq2.com
  • www.tl.a8.com
  • www.tradedoubler.com
  • www.travel.travelocity.com
  • www.tribalfusion.com
  • www.tripadvisor.com
  • www.udn.com
  • www.ui.constantcontact.com
  • www.uk.doubleclick.net
  • www.union.163.com
  • www.union.3721.com
  • www.union.narrowad.com
  • www.union.sogou.com
  • www.union07.narrowad.com
  • www.update.downloadv3.com
  • www.upp.so-net.ne.jp
  • www.ups.com
  • www.usatoday.com
  • www.usps.com
  • www.v.21cn.com
  • www.view.atdmt.com
  • www.viewmorepics.myspace.com
  • www.virustotal.com
  • www.vnexpress.net
  • www.walmart.com
  • www.wanadoo.co.uk
  • www.wanadoo.fr
  • www.wangyou.com
  • www.watch.impress.co.jp
  • www.weather.com
  • www.web.archive.org
  • www.web.ask.com
  • www.web.tickle.com
  • www.webmail.aol.com
  • www.webmail.att.net
  • www.webmail.bellsouth.net
  • www.webmasterworld.com
  • www.webshots.com
  • www.wenxuecity.com
  • www.whitepages.com
  • www.whois.sc
  • www.wp.pl
  • www.wretch.cc
  • www.wrs.yahoo.com
  • www.www.net.cn
  • www.www.wangyou.com
  • www.www1.hp.com
  • www.wwwapps.ups.com
  • www.xici.net
  • www.xinhuanet.com
  • www.xyq.163.com
  • www.yahoo.co.jp
  • www.yahoo.com
  • www.yellowpages.superpages.com
  • www.yesky.com
  • www.yisou.com
  • www.yomiuri.co.jp
  • www.z1.adserver.com
  • www.zaobao.com
  • www.zedo.com
  • www.zone.msn.com
  • www.zs.3721.com
  • www1.hp.com
  • wwwapps.ups.com
  • xici.net
  • xinhuanet.com
  • xyq.163.com
  • yahoo.co.jp
  • yahoo.com
  • yellowpages.superpages.com
  • yesky.com
  • yisou.com
  • yomiuri.co.jp
  • z1.adserver.com
  • zaobao.com
  • zedo.com
  • zone.msn.com
  • zs.3721.com

Upon clicking on the said Web sites, users are instead redirected to the local machine.

Other Details

This Trojan runs on Windows 98, ME, NT, 2000, XP, and Server 2003.

Analysis By: Alvin Jethro Calderon Bacani

Revision History:

First pattern file version: 4.952.12
First pattern file release date: Jan 18, 2008

SOLUTION


Minimum scan engine version needed: 7.500

Pattern file needed: 4.953.00

Pattern release date: Jan 20, 2008


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Editing the Registry

This malware modifies the computer's registry. Users affected by this malware may need to modify or delete specific registry keys or entries. For detailed information regarding registry editing, please refer to the following articles from Microsoft:

  1. HOW TO: Backup, Edit, and Restore the Registry in Windows 95, Windows 98, and Windows ME
  2. HOW TO: Backup, Edit, and Restore the Registry in Windows NT 4.0
  3. HOW TO: Backup, Edit, and Restore the Registry in Windows 2000
  4. HOW TO: Back Up, Edit, and Restore the Registry in Windows XP and Server 2003

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

If the registry entries below are not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    useful-soft = "%System%\wartsrv.exe"
    (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP and Server 2003.)
  4. Close Registry Editor.

Resetting Internet Explorer Home Page and Search Page

This procedure restores the Internet Explorer home page and search page to the default settings.

  1. Close all Internet Explorer windows.
  2. Open Control Panel. Click Start>Settings>Control Panel.
  3. Double-click the Internet Options icon.
  4. In the Internet Properties window, click the Programs tab.
  5. Click the Reset Web Settings� button.
  6. Select Also reset my home page. Click Yes.
  7. Click OK.

Removing Malware Entries from the HOSTS File

Deleting malware entries from the HOSTS file removes all malware-made changes on host name association.

  1. Open the following file using a text editor (such as NOTEPAD):
    • On Windows 98 and ME:
      %Windows%\HOSTS.SAM
    (Note: %Windows% is the Windows folder, which is usually C:\Windows.)
    • On Windows NT, 2000, XP, and Server 2003:
      %System%\drivers\etc\HOSTS
    (Note: %System% is the Windows system folder, which is usually C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP and Server 2003.)
  2. Delete all entries in the host file by appending the specific loopback address before the following Web sites, followed by a single space:
    • 2130706433 for Security and Antivirus Web sites
    • 1223167117 for Other Web sites
  3. In place of the deleted entries, type the following string:
    127.0.0.1 localhost
  4. Save the file and close the text editor.

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Running Trend Micro Antivirus

If you are currently running in safe mode, please restart your computer normally before performing the following solution.

Scan your computer with Trend Micro antivirus and delete files detected as TROJ_DLOADER.BFU and TSPY_FLECSIP.O. To do this, Trend Micro customers must download the latest virus pattern file and scan their computer. Other Internet users can use HouseCall, the Trend Micro online virus scanner.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.