I am running Win 7 Ultimate, Firefox and hit the forum every morning. I did get a Java update, but my last scan (Sat morn) didn't find anything.
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 4/29/2008
Date Added: 4/29/2008
DAT Required: 5284
-- Update September 28, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
IRS scam now world's biggest e-mail virus problem - Computerworld
This detection is for a spy trojan which upon running on the victim’s machine, may be used to upload stolen information to a pre-configured website.
The characteristics of this trojan with regards to file names, sites accessed, files downloaded, etc. can differ from one version to another, depending on the way in which the attacker had configured it. Therefore, this is a general description.
Indication of Infection
* Presence of files and registry entries mentioned
* Network activity with servers mentioned above
Methods of Infection
Trojans are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.
Many of these are mass spammed by the author to entice people into double-clicking on them.
Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Password Stealer onto the user's system with no user interaction.
Infostealer.Banker.C [Symantec], PWS:Win32/Zbot.gen!R [Microsoft], Trojan.Generic.2436384 [BitDefender], TSPY_ZBOT.SMC [TrendMicro]
When executed, some samples of this trojan drops the following files:
* %System%\sdra64.exe [Copy of Trojan]
* %System%\lowsec\local.ds [Data File]
* %System%\lowsec\user.ds [Data File]
* %System%\lowsec\user.ds.lll [Data File]
(note: %System% refers to the System folder. In a Windows XP machine, this should by default refer to the "C:\Windows\System32" folder.)
The trojan also modifies the following registry values to run at windows startup:
* [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Userinit = "%System%\userinit.exe,%System%\sdra64.exe,"
It injects malicious codes to several processes and hooks several API to hide itself and monitor users activity.
It connects to remote server to update itself and send gathered information such as banking transactions.
Attempts to connect to the domain:
At the time of writing the said domain is not available.