Virus:TR/PSW.Lineage.VD
Date discovered:17/07/2006
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:26.627 Bytes
MD5 checksum:29e1dd7658d7c337fab08beb8343a81b
VDF version:6.33.01.45
IVDF version:6.33.01.46 - Thursday, March 2, 2006

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: Infostealer.Lineage
   •  TrendMicro: TSPY_LINEAGE.AQZ
   •  Bitdefender: Dropped:Trojan.Pws.Lineage.ZT


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops a malicious file
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %WINDIR%\Config\svhost32.exe



The following file is created:

%SYSDIR%\fzgdll.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/PSW.Lineage.ZT.1

 Registry –  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "fzg"="%WINDIR%\Config\svhost32.exe"

 Email It doesn't have its own spreading routine but it has the ability to send an email. It is most likely that the receiver is the author. The characteristics are described below:


From:
The sender of the email is the following:
   • vip@microsoft.com

 Stealing It tries to steal the following information:

– The password from the following program:
   • Lineage

 Injection –  It injects the following file into a process: %SYSDIR%\fzgdll.dll

    All of the following processes:
   • explorer.exe
   • %processes that have visible windows%


 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Monica Ghitun on Monday, July 17, 2006
Description updated by Monica Ghitun on Monday, August 7, 2006

Back . . . .