Subscriptions | RSS Feeds | Discussions | Polls | Site Map




All Threats

Viruses

Hackers

Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog


Malware Environment
Malware Descriptions
Who Creates Malware
History of Malware
Malware Trends
If Your Computer Is Infected

 
Malware Description Search

 

  Home / Viruses / Virus Encyclopedia / Malware Descriptions / Trojan Programs / Trojan Proxies

Trojan-Proxy.Win32.Webber.a

Aliases
Trojan-Proxy.Win32.Webber.a (Kaspersky Lab) is also known as: TrojanProxy.Win32.Webber.a (Kaspersky Lab), BackDoor-AXJ.dll.gen (McAfee),   Backdoor.Berbew (Symantec),   Trojan.Webber.10 (Doctor Web),   Troj/Webber-C (Sophos),   TrojanProxy:Win32/Neher.A (RAV),   TROJ_WEBBER.A (Trend Micro),   TR/Webber.10.A.dll2 (H+BEDV),   Win32:Trojan-gen. (ALWIL),   Proxy.P (Grisoft),   Trojan.Proxy.Neher.A (SOFTWIN),   Bck/Webber.E (Panda),   Win32/TrojanProxy.Webber.C (Eset)
Description added Jul 16 2003
Behavior TrojanProxy
Technical details

Webber (aka Heloc) is a Win32 trojan program that installs a hidden proxy server on victim machines (with up to 100 connections), reports IP addresses and cached passwords of victim machines to its 'master'. The trojan also downloads (from a URL) and executes other EXE files such as its upgrades.

The Webber trojan was mass-mailed on July 16, 2003. The message had an attached "downloader" (see below) with the name web.da.us.citi.heloc.pif:

Infected messages

Message header:

Re: Your credit application

Message body:

Dear sir, Thank you for your online application for a Citibank Home Equity Loan. In order to be approved for any loan application we pull your Credit Profile
and Chexsystems information, which didn't satisfy our minimum needs. Consequently, we regret to say that we cannot approve you for Citibank Home Equity Loan at this time. *Attached are copy of your Credit Profile and Your Application that you submitted with us. Please take a close look at it, you will receive hard copy by mail withing next few days.

Installation

When the downloader is run it downloads and executes the main trojan EXE file which creates an additional DLL "helper".

The trojan has three components:

 EXE downloader (5664 bytes in size)
 EXE trojan (39140 bytes in size)
 DLL component (5633 bytes in size)

The main EXE component copies itself to the Windows system directory using randomly selected names and also drops the DLL component under a randomly selected name as well.

The trojan program does not register itself in any auto-run registry key or Windows INI files. However, when the trojan is run, it will modify the following registry keys:

[HKCR\CLSID\{79FA9088-19CE-715D-D85A-216290C5B738}]
   InProcServer32 = %trojan DLL name%
   ThreadingModel = Apartment

 [HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
Web Event Logger = {79FA9088-19CE-715D-D85A-216290C5B738}

As a result, upon the correct set of events the trojan DLL file will be activated.

The code contains the following copyright text string:

Webber10
 		 

Copyright © 1996 - 2009
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
 

Email: webmaster@viruslist.com