PWSteal.Tarno.K is a password stealing trojan when users fill in form of declarations on the web.
OS infection
UNIX, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Describe:
When implemented, PWSteal.Tarno.K will perform the following tasks:
1. Create the following files:
% system% inst.exe
% system% IEHelper.dll
2. Register the IEHelper.dll file as a browser helper object, so that the Trojan can automatically run each Internet Explorer (IE) startup.
3. Create the following registry key:
HKEY_CLASSES_ROOTCLSID {3A4E6FF3-BF59-446E-9DC8-731BCE2F349A}
HKEY_CLASSES_ROOTIEHelper.IEHelperOP
4. Track browser windows with the following keywords:
financial
gold
cash
bank
belt
log
user
usr
pwd
5. Track browser windows with the following strings:
barclays
memorable word
IBARC
nwolb
Please enter the
INATS
lloydstsb
Hãy nhập các ký tự
ILOY
halifax
Password
IKALIF
anbusiness
Passcode
Capture and record actions performed on the screen if the browser window has the same keyword as the program word.
7. Write the received information to file:% system% Logmtspag.drv.
Send the collected information to: http: / / wmmen.com/uk/logout.php
