This remotely controlled trojan appeared on July 8th, 2005, just after terrorists attacked London. It was spead with an HTML-based e-mail that contained news about explosions.
Disinfection & Removal
The trojan is a PE executable file 82432 bytes long, packed with UPX file compressor.
The trojan was spread in e-mail messages that looked like that:
The trojan was sent in that e-mail as a ZIPped attachment named 'LondonTerrorMovie.zip'. The trojan's file name inside the archive was:
London Terror Movie.avi <a lot of spaces> Checked By Norton Antivirus.exe
When the trojan's file is run, it copies itself to Windows folder with one of the following names:
ctflog.exe explore.exe inetinfomon.exe MPM.exe service.exe winlog.exe
The trojan sets read-only, hidden and system attributes to the copied file. Then the trojan adds a startup key value for its file to the Registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "<filename> manager" = "%WinDir%\<filename>.exe"
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "<filename> manager" = "%WinDir%\<filename>.exe"
where %WinDir% stands for Windows directory name and <filename> stands for the trojan's file name, for example:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "inetinfomon manager" = "c:\windows\inetinfomon.exe"
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "inetinfomon manager" = "c:\windows\inetinfomon.exe"
The trojan is used by spammers to send e-mails from infected computers. The trojan can be remotely controlled to send e-mail and to upgrade its file from Internet.
When sending spam e-mails, the trojan can generate fake sender's e-mail addresses automatically using the following string arrays:
abrupt acetic actinolite anarch apocryphal blacksmith bolometer codfish crystallite dairymen deducible detour diffusible diurnal frostbite hydrochemistry loretta mentor reactionary slovakia french wooden Thomas Edward Kenneth Ronald Carlos Victor Oliver Alexandria Hillary Malinda Williams Martinez Torres Hudson Wagner Fernandez Curtis Caldwell Jimenez Mckinney Cummings Walton Alvarado Carson hotmail.com msn.com aol.com
The trojan uses the following fake mailer tags:
The Bat! (v1.52f) Business Microsoft Outlook Express 6.00.2600.0000 Microsoft Outlook Express 5.00.2615.200 MIME-tools 5.503 (Entity 5.501) Microsoft Outlook Express 6.00.2462.0000 Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Microsoft Outlook, Build 10.0.2616 Microsoft Outlook, Build 10.0.2627 QUALCOMM Windows Eudora Version 5.1 Internet Mail Service (5.5.2650.21) Microsoft Outlook Express 5.00.2919.6700 eGroups Message Poster AOL 7.0 for Windows US sub 118
F-Secure Anti-Virus detects this trojan with the following
Detection Type: PC
Description Created: Description and Screenshot:Alexey Podrezov and Mikko Hypponen; June 12th, 2005;