Virus:TR/PSW.Lineage.afq
Date discovered:16/08/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:67.584 Bytes
MD5 checksum:dc49fe9ddf59f3ac562396ad39043f3f
VDF version:6.35.01.99
IVDF version:6.35.01.100 - Wednesday, August 16, 2006

 General Method of propagation:
   • No own spreading routine


Alias:
   •  Kaspersky: Trojan-PSW.Win32.Lineage.afq


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops a malicious file
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %WINDIR%\loadfiles.exe



The following files are created:

%WINDIR%\msdos32.dll Further investigation pointed out that this file is malware, too. Detected as: TR/PSW.Lineage.afq.1

– C:\t1game.txt This file contains collected keystrokes.

 Registry It registers a browser helper object (BHO) by adding the following keys:

– HKCR\CLSID\{2D957846-020C-4D6E-9AA8-C77ACFAEE632}\InProcServer32
   • "ThreadingModel"="Apartment"
   • "(Default)"="%WINDIR%\msdos32.dll"



The following registry keys are added:

– HKCR\CLSID\{2D957846-020C-4D6E-9AA8-C77ACFAEE632}
   • "(Default)"="PASSHOOK"

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
   ShellExecuteHooks
   • "{2D957846-020C-4D6E-9AA8-C77ACFAEE632}"=""

 Stealing It tries to steal the following information:

– Passwords from the following programs:
   • Lineage
   • Lineage Windows Client

 Injection –  It injects the following file into a process: %WINDIR%\msdos32.dll

    All of the following processes:
   • EXPLORER.EXE
   • %all processes started after malware is active in memory%


 File details Programming language:
 The malware program was written in Delphi.

Description inserted by Marius T. Nicolae on Thursday, September 14, 2006
Description updated by Marius T. Nicolae on Thursday, September 14, 2006

Back . . . .