1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
  4. Webber

Webber

ALIAS:TrojanProxy.Win32.Webber.a, TrojanDownloader.Win32.Small.bu
VARIANT:Webber.A

Summary

Webber trojan consists of 2 parts - a downloader and a proxy trojan. The downloader was spread in e-mail messages on 10th of November 2003. When activated, the downloader fetches and activates a proxy trojan on an affected computer. The proxy trojan allows hackers to connect to Internet through an infected computer.

Additional Details

Webber trojan downloader was spread on 10th of November in the following e-mail messages:

From: 
 "Account Manager" <accounts_manager@citibank.com>


Subject: 
 Re: Your credit application


Body: 
 Dear Sir!



 Thank you for your online application for a Home Equity Loan.
 In order to be approved for any loan application we pull your
 Credit Profile and Chexsystems information, which didn't satisfy
 our minimum needs. Consequently, we regret to say that we cannot
 approve you for Home Equity Loan at this time.



 *Attached are copy of your Credit Profile and Your Application that
 you submitted with us. Please take a close look at it, you will receive
 hard copy by mail withing next few days.


Attachment: 
 www.citybankhomeloan.htm.pif


The attached downloader file name is 'www.citybankhomeloan.htm.pif' - it is an executable file that pretends to look like an URL. The downloader fetches NEHER.GIF file from the 'saher.by.ru' website, saves it to a hard drive as an executable file and activates it.

After activation, the main trojan's file copies itself with a random name to Windows System folder and drops a DLL file that also has a random name. The trojan acts as a proxy - it allows remote hackers to connect to Internet through an infected computer. The connection between a hacker's computer and an infected computer is encrypted.

The trojan connects to www.valenok.red-host.com site to fetch specific data and to report an infected computer's IP address.

The trojan contains the following text strings: 

 Neher(HEXEP) coded by HangUP Team (commercial version).
 Greetz to: Hunk,Ares,Z0mbie,FreeHunt,SBVC,TSRH,Vecna';)
 A zdes mogla bi bit vasha reklama ;)


Detection

Detection in F-Secure Anti-Virus was published in the following updates:

Version=2003-11-11_01

Technical Details: Alexey Podrezov and Katrin Tocheva, November 11th, 2003;