Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Installation

When executed, the trojan copies itself in the %temp% folder using the following filename:

clea%num%.dll

The %num% stands for a random number.

The trojan registers itself as a system service using the following name:

ldrsvc

Two files are downloaded from the Internet. The files are stored in one of the following folders:

%commonfiles%\Microsoft Shared\Web Folders
%system%\..\temp

The following filename is used:

ibm%num%.dll

The %num% stands for a random number.

The following file is modified:

%system%\drivers\etc\hosts

The trojan deletes the original executable and the ldrsvc service.

Information stealing

The following information is collected:
computer IP address
computer name
e-mail accounts data
FTP accounts data
passwords
Internet Explorer Favorites

The programs affected include the following:

AK-Mail
Crystal FTP Pro
Eudora
FAR
FlashFXP
GlobalSCAPE
Ipswitch
LeechFTP
Microsoft Outlook
Microsoft Outlook Express
Rhino Software
StarFinanz
The Bat
Thubderbird
TRELLIAN

The trojan interferes with communication when any of the following sites is accessed:

cib.ibanking-services.com
banking.raiffeisen.at
bankingportal.naspa.de
ykb.teleweb.com.tr
*vr-*ebanking.de

The collected information is stored in the following folder:

%system%\..\temp

The trojan can send the information to a remote machine. The HTTP protocol is used.

Other information

The trojan opens a random TCP port. A SOCKS proxy is listening there.