This detection is for a downloading trojan known to have been spammed to many users on several occasions. The latest of which occured on May 23, 2004 in a message as follows:
--
From: cosmo [
[email protected]]
Subject: International Virtual Greetings Center
Body:
Congratulations! You've recieved a postcard from your mom!
"I Sent the Sun"
Picture attached.
========
International Virtual Greetings Center
www.freegreetings.com
Attachment: Picture.zip (containing report.pif)
--
May 16, 2004 spamming
From: sales [
[email protected]]
Subject: Re: Payment approved (invoce #5997)
Body:
Dear customer! Thank you for shopping with us!
Sales department approved your payment, you will be billed
within 2 days. Shipping UPS ground insured.
See the attached file for details. (report # 5986)
Attachment: REPORT.ZIP (Zip file containing REPORT.EXE)
Other mass mailings include the following message:
From: support (
[email protected]) this may change
Subject: Re: item purchase
Body:
Thank you for shopping with us!
See the attached file for details.
Best Regards!
Attachment: DETAILS.ZIP (Zip file containing DETAILS.EXE)
The trojan exists only to download and execute a remote file (path to which is stored in the trojan). Access to the following domains should be blocked at the firewall to prevent the file download:
http://marnet.us
http://animalloversleague.org
http://technalytics.net
When run, it attempts to download this file via HTTP, saving it to the Windows system directory as TEMPFILE.EXE or TMPFILE.EXE
%SysDir%\TEMPFILE.EXE
%SysDir%\TMPFILE.EXE
This file is then executed.
Obviously the exact contents of this file may change. At the time of writing it is a remote access trojan, detection for which is included in Daily Dats as BackDoor-BAC .