-- Update 10th Jan 2003 --
A new variant of this trojan (file length: 283,648 bytes, tElock packed) is downloaded by the W32/Sobig@MM worm. Detection of this variant requires the 4242 DATs.
This trojan appears to be related to Downloader-BN. However, at a specific date/time this trojan opens port 1180 on the victim machine enabling the hacker to remotely access the machine.
The trojan contains password stealing keylogger code. This trojan connects to a geocities.com user's site to retrieve a URL. It then navigates to that URL, passing the following information:
- IP address
- Drive letters and type
- Windows version
- Machine name
The trojan queries several registry keys to report on the installation status of several programs:
- Return to Castle Wolfenstein
- Soldier of Fortune II
The content of the web page accessed is saved to the file NBVLK32.NDR in the WINDOWS SYSTEM (%SysDir%) directory. A copy of the trojan is saved to the %SysDir% directory as MPTASK.EXE and a registry run key is created:
Run "MPtask Services" = C:\WINDOWS\SYSTEM\mptask.exe
A keylogger dll is dropped in the %SysDir% directory as well: NBRBK32.DLL. The trojan attempts to steal cookies associated with PayPal, iFriend, E-Bullion, EZCardin, Chase, Evocash, Gold, Account Access, Nettler, WebMoney, eBay, and banks. It monitors typed keystrokes.
The trojan periodically connects to the author's site to retrieve commands and the date and time. At a specified date/time, the trojan opens TCP port 1180 and sends notification the geocities.com user page, including the IP address and password needed to access the infected system.
The trojan is dropped by a file that was posted to a newsgroup. The dropper extracts a JPG file to the %Temp% folder and opens it. This image is of pornographic nature.