Threat Description

Webber

Details

Category: Malware
Type: Worm
Platform: W32
Aliases: Webber, TrojanProxy.Win32.Webber, W32/Heloc-mm

Summary


UPDATE (2003-07-22 7:15 GMT)

Another variant has been discovered, the e-mail messages used on this occasion have the following format:

From:   Wells Fargo Accounting [wfba.accounting@wellsfargo.com]  
Subject:   
Re: Wells Fargo Bank New Business Account Application - ID# 4489  
Body:  
Dear Sir,   
Thank you for your online application for a Business Account with Wells  Fargo. We appreciate your interest in banking with us.   
In order to open a Business Account, we must receive specific credit  information that is verifiable. Because Wells Fargo has no locations in  your state, we are unable to confirm the credit information in your  application. Consequently, we regret to say that we cannot open an  account for your business at this time.    

Attached are your Wells Fargo Application and your Social Security File.    
Sincerely,    
Sherli Chin  
Business Resource Center Services  
Wells Fargo Bank   
UPDATE (2003-07-17 12:00 GMT)

A new variant of the downloader has been discovered. The e-mail message it is received in has the following format:

Subject:   Re: Your E-Loan Refinance Application   
Body:   
Dear sir,     
Thank you for your recent online Refinance Application with E-Loan Inc.  Apparently you have moved from your current home address a couple of months  ago, so we coulnd't verify your identity with Credit Bureaus and Chexsystems.  
We are sorry for any inconvenience.     
Attached are scanned copies of your Home Value, Grant Deeds and your current  Credit Profile from 3 major Credit Bureaus. Take a close look at it, as you  will receive hard copies by usps mail in few days. 

The attachment name is "E-Loan-Appraiser-Results.pif". As of this writing, we don't have notice of this downloader being received in messages with a different content.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.



Technical Details


This trojan was mass-mailed on July 16 2003. The message arrived with an attachment containing the downloading component named "web.da.us.citi.heloc.pif".

The messages characteristics are:

Subject:   Re: Your credit application  
Body:   
Dear sir,    
Thank you for your online application for a Citibank Home Equity Loan.  In order to be approved for any loan application we pull your Credit Profile  and Chexsystems information, which didn't satisfy our minimum needs.  
Consequently, we regret to say that we cannot approve you for Citibank Home  Equity Loan at this time.    
*Attached are copy of your Credit Profile and Your Application that you  submitted with us. Please take a close look at it, you will receive hard copy  by mail withing next few days.   

The attachment, once executed, downloads and installs a hidden proxy server which, in turn, creates an additional DLL. So the trojan has three components:

EXE downloader (5664 bytes of size)  
EXE trojan (39140 bytes of size)  
DLL component (5633 bytes of size)   

The main component copies itself to Windows system directory with a randomly selected name and drops the DLL component with a randomly composed name as well.

The trojan does not register itself in any auto-run registry key or Windows INI files. The mechanism used by the worm to be executed relies on modifying the following registry keys:

HKCR\CLSID\{79FA9088-19CE-715D-D85A-216290C5B738}    InProcServer32 = %trojan DLL name%    ThreadingModel = Apartment   
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad    Web Event Logger = {79FA9088-19CE-715D-D85A-216290C5B738}   

As a result on according events the trojan DLL file will be activated. The DLL seems to be responsible then, of executing the main binary.

This main executable is a proxy which will listen on the victim machine (up to 100 connections) and report the IP address of the infected machine and cached passwords to a hard-coded URL. The trojan also downloads from an URL and executes other EXE files.



Detection


F-Secure Anti-Virus detects Webber worm with the updates published on July 16th, 2003:

Detection Type: PC
Database: 2003-07-16_03



Technical Details:Kaspersky Labs and F-Secure Corp.; July 16th, 2003


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More