Archive for May, 2007
The Cimuz uninstaller
Checking a server that installs a variant of Trj/Cimuz, I came across a link that pointed to remover.exe file:
After analyzing the code of the file, I noticed that it uninstalled the same variant of Trj/Cimuz that had been previously installed from that very same server.
I suppose this is the way the author uses to make tests in order to check if the Trojan works properly and then, get easily disinfected using the uninstaller.
Pirates of the Caribbean: At World’s End
No, it’s not about the Disney’s movie that you can see today at cinemas. There has been a massive sending of a message with a file attached that is supposed to be the movie trailer, the name of the file is:
Official_Trailer_Pirates_of_the_Caribbean_At_World’s_End.exe
We have received some hundreds samples proactively blocked by TruPrevent, most of them coming from Italy. Once you run the file (detected as Trj/Pirabbean.A), it shows you the following message:
At the same time, it downloads & installs a dialer, and also creates two shortcuts in the desktop:
It also changes some settings of Internet Explorer (adding 2 URLs in the Trusted Sites). In case you visit those URLs it will install you some more dialers.
A new server hosting a Briz
VisualBreeze or VisualBriz is another malware that is usually sold in forums of malware developers, similar to the ones we mentioned in “Cybercime for saleâ€.
I have recently discovered a server that hosted a new variant of this malware and contained 5.445 logs from infected machines, which take up 2.61 Gigabytes.
After checking the server where it was installed, I noticed that, unlike other variants of Briz, this one was provided with a Parser module that sends the information of the files to a MySQL database managed by a PhpMyAdmin. This way, it will be easier and faster to make searches in the information obtained from the infected users.
This module has several options:
The option “View†shows the logs and allows searches by domain or by text to be made:
The option “Templates†allows patterns to be made in order to filter the information:
The Server was provided with these “Templatesâ€, which were already created:
rapidshare.com
paypal.com
e-gold.com
ftp
ebay.de
yahoo.com
Apart from the information it steals, it allows infected machines to be accessed in order to use them as proxies:
Daily, around 478 new machines are infected.
These are the statistics that the module of proxies displays and that are continuously being updated:
This variant of Trj/Briz has been detected by signature as Trj/Briz.X. But, before detecting it, our TruPrevent Technologies detected and successfully blocked it.