Trojan.Gletta.A is a Trojan that steals passwords to bank accounts. In addition, this software also has the function of a keylogger, write keyboard tasks when users visit some unsafe website and then send that information to the attacker.
Trojan.Gletta.A
Date appeared: 9/6/2004
Describe:
When executed, Trojan.Gletta.A will perform the following actions:
1. Manually copy to the system directory with the following names:
% System% Wmiprvse.exe
% System% Ntsvc.exe
% Windir% Userlogon.exe
Attention
+% System% is a variable and Trojan.Gletta.A can determine the location of this system directory and then clone itself. By default, the location will be: C: WindowsSystem (for Windows 95/98 / Me); C: WinntSystem32 (for Windows NT / 2000), or C: WindowsSystem32 (for Windows XP).
+% Windir% is a variable and Trojan.Gletta.A can identify this Windows installation folder and then clone it (default is C: Windows or C: Winnt).
2. Create the file% System% Rsasec.dll, which is essentially a keyboard task recording software.
3. Create the file% System% rsacb.dll, which is actually a text file.
4. Add value:
"wmiprvse.exe" = "% system% wmiprvse.exe" & nbsp; in the registry key so that it can run automatically at system startup:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows
CurrentVersionRun
5. For NT / 2000 / XP, Trojan.Gletta.A will add the following value:
"Run" = "% Windir% userlogon.exe"
The following registry key can be run automatically at system startup:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsNT
CurrentVersionWindows
6. For Windows 95/98 / Me, Trojan.Gletta.A will add the following value:
run =% Windir% userlogon.exe
into the Win.ini file so that the Trojan can automatically run when the system starts: & nbsp;
7. For Windows 95/98 / Me , Trojan.Gletta.A will change the line "shell =" to:
shell = explorer.exe% system% ntsvc.exe
Let the Trojan run automatically when the system starts:
8. Trojan.Gletta.A will record the keyboard task from the Internet Explorer window with the following names:
National Australia Bank
ANZ Internet Banking - Logon
National Internet Banking
Citibank Australia
Welcome to Citi
Welcome to Citibank
Citi - Sign On
Bank of China
online @ hsbc
HSBC in Hong Kong
Banesto
Sabadell
or the following addresses:
https: / /olb.westpac.com.au/ib/asp/
https: / /olb.westpac.com.au/ib/
- Trojan.Gletta.A uses its own SMTP engine to send the keystroke log file to an external e-mail address. Trojan uses SMTP server in Russia to send mail. & Nbsp;
This e-mail has the following characteristics:
+ FROM and TO have the same domain "mail.ru"
+ The title starts with "Business News from"
& nbsp;