Virus:TR/PSW.Lineage.EM.5
Date discovered:17/07/2006
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:36.864 Bytes
MD5 checksum:e70A613bc03f252a786e3fea308cd6d7
VDF version:6.35.00.134
IVDF version:6.35.00.173 - Monday, July 17, 2006

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: Infostealer.Lineage
   •  Kaspersky: Trojan-PSW.Win32.Lineage.em
   •  TrendMicro: TSPY_LINEAGE.ANU


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops files
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %PROGRAM FILES%\Microsoft\svhost32.exe



It creates the following directory:
   • %PROGRAM FILES%\Microsoft



The following file is created:

%SYSDIR%\msdll.dll Furthermore it gets executed after it was fully created.

 Registry One of the following values is added in order to run the process after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "ms"="%PROGRAM FILES%\Microsoft\svhost32.exe"

 Email It doesn't have its own spreading routine but it has the ability to send an email. It is most likely that the receiver is the author. The characteristics are described below:
The sender of the email is the following:
   • vip@microsoft.com

 Stealing It tries to steal the following information:

– The password from the following program:
   • Lineage

 Injection –  It injects the following file into a process: %SYSDIR%\msdll.dll

    All of the following processes:
   • explorer.exe
   • %processes that have visible windows%


 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Monica Ghitun on Monday, July 17, 2006
Description updated by Monica Ghitun on Thursday, August 3, 2006

Back . . . .