Computer Crime Research Center

virus/worm.jpg

A Russian response to Osama Bin Laden virus

Date: July 27, 2004
Source: Computer Crime Research Center
By: Ludmila Goroshko

Friday, a virus purporting to show images of Osama bin Laden's suicide has popped up on the Internet, designed to entice recipients to open a file that unleashes malicious software code, security experts say. Users received emails linking to "OsamaFoundDead.zip" archive that contained Hackarmy.i backdoor trojan. At the moment the server where this file came from is shut down and no more represents threat to users.

In response to this, Russian virus-makers created a trojan virus hidden in a flash movie named "BushF*Cowboy.exe". When the user runs this file it only installs the main trojan: Trojan.PSW.LdPinch, Ukrainian Antivirus Center (UAC) reports.

Once again virus creators used social engineering techniques to flood the global network to a local epidemic with a virus that had no own active instruments to distribute itself, experts from UAC say.

For your information:

This family of Trojans steals user passwords.

When launching, the Trojan writes the following value to the system registry.
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] putil = %windir%\%file name%

This ensures that the Trojan will be run every time the system is started.

It then copies itself to the Windows folder, and launches itself from there, deleting the original file.

The Trojan harvests information about the system (operating system, configuration etc.) and passwords for a range of services and applications, including RAS, POP3, IMAP, ICQ, FTP etc.

The information collected is encoded using MIME (Base64) and sent to the Trojan's author by email, using an SMTP server with an IP address which is coded in the Trojan's body.


Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo