Joemonkey
Diamond Member
Click Me
Some people were asking me about emails they received with .zip attachments with price in the name. Virus scan wasn't picking it up, so I checked out Trend's website and did a manual update. Anyway:
Malware type: Trojan
Aliases: No Alias Found
In the wild: Yes
Destructive: Yes
Language: English
Platform: Windows 98, ME, NT, 2000, XP, Server 2003
Encrypted: No
Overall risk rating: Low
--------------------------------------------------------------------------------
Reported infections: Low
Damage potential: Medium
Distribution potential: Low
--------------------------------------------------------------------------------
Description:
This memory-resident Trojan arrives on a system as an attachment to spammed email messages. The attachment is an archived file using any of the following file names:
09_price.zip
new__price.zip
new_price.zip
newprice.zip
price2.zip
price_09.zip
price_new.zip
The following is a sample screenshot of the email message this Trojan arrives with:
Screenshot
This Trojan bears an icon similar to the application Notepad. It also opens a Notepad window upon execution, possibly to trick unsuspecting users that they are opening a normal application.
It drops a copy of itself in the Windows system folder as the file WINSHOST.EXE. It also drops its DLL component named WIWSHOST.EXE in the same folder. This dropped DLL component contains this Trojan's malicious routines, and is injected in the EXPLORER.EXE process to avoid immediate detection and to ensure its automatic execution every time Windows Explorer is accessed.
This Trojan then terminates several processes running on an affected system. Moreover, it disables any antivirus applications running on an affected system by deleting several registry keys and entries, as well as by disabling a number of services related to these applications.
It also attempts to download a file from several Web sites. As of this writing, however, the said sites are already inaccessible.
This Trojan also renames certain files. The said routine may cause corresponding applications to malfunction.
Some people were asking me about emails they received with .zip attachments with price in the name. Virus scan wasn't picking it up, so I checked out Trend's website and did a manual update. Anyway:
Malware type: Trojan
Aliases: No Alias Found
In the wild: Yes
Destructive: Yes
Language: English
Platform: Windows 98, ME, NT, 2000, XP, Server 2003
Encrypted: No
Overall risk rating: Low
--------------------------------------------------------------------------------
Reported infections: Low
Damage potential: Medium
Distribution potential: Low
--------------------------------------------------------------------------------
Description:
This memory-resident Trojan arrives on a system as an attachment to spammed email messages. The attachment is an archived file using any of the following file names:
09_price.zip
new__price.zip
new_price.zip
newprice.zip
price2.zip
price_09.zip
price_new.zip
The following is a sample screenshot of the email message this Trojan arrives with:
Screenshot
This Trojan bears an icon similar to the application Notepad. It also opens a Notepad window upon execution, possibly to trick unsuspecting users that they are opening a normal application.
It drops a copy of itself in the Windows system folder as the file WINSHOST.EXE. It also drops its DLL component named WIWSHOST.EXE in the same folder. This dropped DLL component contains this Trojan's malicious routines, and is injected in the EXPLORER.EXE process to avoid immediate detection and to ensure its automatic execution every time Windows Explorer is accessed.
This Trojan then terminates several processes running on an affected system. Moreover, it disables any antivirus applications running on an affected system by deleting several registry keys and entries, as well as by disabling a number of services related to these applications.
It also attempts to download a file from several Web sites. As of this writing, however, the said sites are already inaccessible.
This Trojan also renames certain files. The said routine may cause corresponding applications to malfunction.
