Threat Description

Barok

Details

Aliases:Barok
Category:Malware
Type:Trojan-PSW
Platform:W32

Summary



The Barok password stealing trojan was spread by the LoveLetter Internet worm from four different accounts on a SkyInet webserver.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



The Barok password stealing trojan was spread by the LoveLetter Internet worm from 4 different accounts on SkyInet webserver.F-Secure AV Research contacted administrators of that server and all the accounts that were spreading the trojan were deleted by 1:00pm GMT, May 4th, 2000.Barok password stealing trojan is configurable - i.e. it can be configured to use any resolvable smtp server, any e-mail address and any installation filename and any Registry key name.The first discovered version of this password stealing trojan tries to find a hidden window named 'BAROK...' on its startup. If it is present, the trojan exits immediately, otherwise the main routine takes control. The trojan checks for the WinFAT32 subkey in the following Registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

If the WinFAT32 subkey key is not found, the trojan creates it, copies itself to the \Windows\System\ directory as WINFAT32.EXE and runs the file from that location. The above modification of the registry key activates the trojan every time Windows starts.Then the trojan sets Internet Explorer startup page to 'about:blank'. After that the trojan tries to find and delete the following keys:

  • Software\Microsoft\Windows\CurrentVersion\Policies\Network\HideSharePwds
  • Software\Microsoft\Windows\CurrentVersion\Policies\Network\DisablePwdCaching
  • .DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Network\HideSharePwds
  • .DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Network\DisablePwdCaching

Then the trojan registers a new window class, creates a hidden window titled 'BAROK...' and remains resident in Windows memory as a hidden application.Immediately after startup (and if the Internet connection is present) or when timer counters reach certain values, the trojan loads the MPR.DLL library, calls the WNetEnumCashedPasswords function and sends stolen RAS passwords and all cached Windows passwords to 'mailme@super.net.ph' e-mail address that most likely belongs to the trojan's author. The trojan uses the 'smtp.super.net.ph' mail server to send e-mails. The subject of these e-mails is 'Barok... email.passwords.sender.trojan'. The trojan also sends the host name, the username and the IP address of the victim in this e-mail.Author's copyright message can be found inside the trojan's body: barok ...i hate go to school suck ->by:spyder @Copyright (c) 2000 GRAMMERSoft Group >Manila,Phils.In addition, there are some encrypted text messages in the trojan's body which it uses for its own purposes.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More