A New Trojan Variant
A Trojan horse which infects computers and renders it dysfunctional has been on the lose. According to a researcher at security firm McAfee the attack tool uses the Microsoft Windows' "Encrypted File System (EFS) to crawl its payload through the system while still managing to evade detection. It was in early August that the Trojan was discovered but recently its volume has increased.
The Trojan horse has two main parts - Qdial-45, which is a dialer and Spy-Agent.bf, which is an encrypted downloader.
Qdial-45 is an encrypted Trojan that disconnects the modem and makes a different call at more costly rates. With these calls it displays adult material. This Trojan is generally downloaded through a 'Browser Helper Object' (BHO). It has two components - a DLL downloader and a PE file. The DLL downloader makes its own copies in some data streams giving each a name at random.
The downloader takes help of the EFS to create confusion as it retrieves updated content from a series of websites on the Internet. It also attempts downloading copies of Spy-Agent.bf Trojan. By creating new login details they are used to execute the encrypted file in order to download variants of Spy-Agent.bf.
According to McAfee's research blog the Trojan creates an administrator login account giving it a random name and password. Then it uses the login pair to encrypt the downloader component. Next it creates a random service, which it refers to the encrypted file having the logon properties of the newly created login pair.
McAfee advises users to keep away from visiting these sites as they may lead to various browser exploits. There may be other malware that could apply similar techniques using EFS. Existing and new systems should be protected from such malicious programs by deploying updated anti-virus applications that help to detect both old and new threats. Apart from this it is necessary to check the sources of files downloaded as well as read the license agreements thoroughly before installing the programs.
The new versions of the Trojan horse is the latest malicious program that uses encryption technique and conceals itself from desktop security software like the anti-virus software.
Related article: A New "Blackmailing" Variant Creeps Around…
» SPAMfighter News - 14-09-2006