Selected viruses, spyware, and other threats: sorted alphabetically
Installation
When executed, the trojan copies itself in the %temp% folder using the following filename:
The %num% stands for a random number.clea%num%.dll
The trojan registers itself as a system service using the following name:
Two files are downloaded from the Internet. The files are stored in one of the following folders:ldrsvc
The following filename is used:%commonfiles%\Microsoft Shared\Web Folders
%system%\..\temp
The %num% stands for a random number.ibm%num%.dll
The following file is modified:
The trojan deletes the original executable and the ldrsvc service.%system%\drivers\etc\hosts
Information stealing
The following information is collected:
computer IP address
computer name
e-mail accounts data
FTP accounts data
passwords
Internet Explorer Favorites
The programs affected include the following:
The trojan interferes with communication when any of the following sites is accessed:AK-Mail
Crystal FTP Pro
Eudora
FAR
FlashFXP
GlobalSCAPE
Ipswitch
LeechFTP
Microsoft Outlook
Microsoft Outlook Express
Rhino Software
StarFinanz
The Bat
Thubderbird
TRELLIAN
The collected information is stored in the following folder:cib.ibanking-services.com
banking.raiffeisen.at
bankingportal.naspa.de
ykb.teleweb.com.tr
*vr-*ebanking.de
The trojan can send the information to a remote machine. The HTTP protocol is used.%system%\..\temp
Other information
The trojan opens a random TCP port. A SOCKS proxy is listening there.
