January 06, esecurityplanet.com
BackDoor−AWQ.b is a remote access Trojan written in Borland Delphi, according to McAfee, which issued an alert Tuesday, January 6. An email message constructed to download and execute the Trojan is known to have been spammed to users. The spammed message is constructed in HTML format. It is likely to have a random subject line, and its body is likely to bear a head portrait of a lady (loaded from a remote server upon viewing the message). The body contains HTML tags to load a second file from a remote server. This file is MIME, and contains the remote access Trojan (base64 encoded). Upon execution, the Trojan installs itself into the %SysDir% directory as GRAYPIGEON.EXE. A DLL file is extracted and also copied to this directory (where %Sysdir% is the Windows System directory, for example C:\WINNT\SYSTEM32) The following Registry key is added to hook system startup: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \RunOnce "ScanRegedit" = "%SysDir%\GRAYPIGEON.EXE" The DLL file (which contains the backdoor functionality) is injected into the EXPLORER.EXE process on the victim machine.
More information, including removal instructions, can be found at:
http://us.mcafee.com/virusInfo/default.asp?id=description &virus_k=100938
Source: http://www.esecurityplanet.com/alerts/article.php/3295891
BackDoor−AWQ.b is a remote access Trojan written in Borland Delphi, according to McAfee, which issued an alert Tuesday, January 6. An email message constructed to download and execute the Trojan is known to have been spammed to users. The spammed message is constructed in HTML format. It is likely to have a random subject line, and its body is likely to bear a head portrait of a lady (loaded from a remote server upon viewing the message). The body contains HTML tags to load a second file from a remote server. This file is MIME, and contains the remote access Trojan (base64 encoded). Upon execution, the Trojan installs itself into the %SysDir% directory as GRAYPIGEON.EXE. A DLL file is extracted and also copied to this directory (where %Sysdir% is the Windows System directory, for example C:\WINNT\SYSTEM32) The following Registry key is added to hook system startup: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \RunOnce "ScanRegedit" = "%SysDir%\GRAYPIGEON.EXE" The DLL file (which contains the backdoor functionality) is injected into the EXPLORER.EXE process on the victim machine.
More information, including removal instructions, can be found at:
http://us.mcafee.com/virusInfo/default.asp?id=description &virus_k=100938
Source: http://www.esecurityplanet.com/alerts/article.php/3295891