Win32.Conferox (Ca.com)

Description Published: 2005. július 7.
Description Modified: 2005. július 8.

Characteristics

Type:                               Trojan
Category:                        Win32
Also known as                 Win32/Conferox!Downloader, Win32.Conferox!downloader, Win32.Conferox.A, Win32/Conferox.A!Trojan, Win32.Conferox.B, Troj/Dloader-PZ (Sophos), Troj/Keylog-AK (Sophos), W32/PWStealer.AT@dr (F-Secure), PWS-Reox (McAfee), TROJ_SMALL.ALT (Trend), PWSteal.Trojan (Symantec), Trojan-Spy.Win32.Agent.ew (Kaspersky), Trojan-Downloader.Win32.Small.arf (Kaspersky), Downloader-YZ (McAfee)

Method of Infection
Computer Associates have received a number of reports regarding a downloading trojan that has been widely spammed through e-mail.

Win32.Conferox!downloader is a 2,779-byte, MEW-packed Win32 PE application, which downloads and executes another program from a web page registered in Azerbaijan.

Initially the downloaded program: “file.exe” was a 18,340-bytes, MEW-packed Win32 application (detected as Win32.Conferox.A). At the time of publishing, however, it has been replaced by a 18,176-byte MEW-packed Win32 application (detected as Win32.Conferox.B).

When a Win32.Conferox executable is run, the trojan copies itself to the %System%/service folder as “explorer.exe” and register itself as a service (on Windows NT/2K/XP) or modifies the registry in order to execute at the next reboot (on Windows 9.x):

HKCUSoftwareMicrosoftWindowsCurrentVersionRunexplorer = ˝%System%serviceexplorer.exe˝

Note: ´%System%´ is a variable location. The malware determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:WinntSystem32; for 95,98 and ME is C:WindowsSystem; and for XP is C:WindowsSystem32.

More information on CA Virus Information Center:
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=43289