|
Description:
To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.
Malware Overview
This Trojan arrives bundled with malware packages as a malware component. It can also be downloaded by a user when visiting malicious Web sites that redirects to http://{BLOCKED}securityupdates.com/cl.exe
It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run and to monitor the affected user's interaction with the browser.
It reports its infection to a certain IP address and retrieves a configuration file from it that contains information on which Web site(s) it should redirect the browser to when the user types certain queries on monitored popular search engines or what pop-up windows to display. At the time it is detected, this Trojan displays the following advertisement about the Apple iPhone:
On clean systems, typing "iPhone.com" would redirect the Internet browser to the real Apple site for iPhone, which is http://www.apple.com/iphone/. However, once this Trojan infects a system, the browser redirects to the fake site http://{BLOCKED}rityupdates.com/cl.exe, which poses as an online store where iPhone can be ordered:
This Trojan then displays a page from http://{BLOCKED}instream.sales.online.
exclusivereselling.iphone06292007.automaticordernow.apple.
iesecurityupdates.com/index.php. Note that this Trojan masks the URL such that the browser shows www.iphone.com on the address bar.
Details on how to pay for this "purchase" are also indicated on the site:
For additional information about this threat, see:
Solution
Technical Details
Description created: Jul. 1, 2007 5:20:58 PM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
