English
Deutsch
Francais
Español
Italian
Home
Virus Info
TR/Repor.A
Search
Home
Support
Solutions
Products
Downloads
Virus Info
Statistics
Phishing Worldmap
VDF History
Virus Science
Submit Sample
Security News
Viruses In the Wild
Company
Press
Partners
Newsletter
TR/Repor.A - Trojan
See also
Summary
Full description
Statistics
How would you rate this information?
Worthless
Excellent
Virus:
TR/Repor.A
Date discovered:
01/04/2005
Type:
Trojan
In the wild:
No
Reported Infections:
Low
Distribution Potential:
Low
Damage Potential:
Medium
Static file:
Yes
File size:
29.582 Bytes
MD5 checksum:
10ef4838aa0496d818d82a8b12fa6425
VDF version:
6.30.00.60
- Fri, 01 Apr 2005 15:59 (GMT+1)
General
Method of propagation:
• No own spreading routine
Aliases:
• Mcafee: Keylog-SClog
• Kaspersky: Trojan-Spy.Win32.SCKeyLog.o
• Grisoft: PSW.Sclog.D
• VirusBuster: Trojan.Gogel.A
• Bitdefender: Win32.Repor.A
Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
Side effects:
• Drops files
• Uses its own Email engine
• Records keystrokes
• Registry modification
• Steals information
Right after execution the following information is displayed:
Files
It copies itself to the following location:
•
%SYSDIR%
\csrs.exe
The following file is created:
–
%TEMPDIR%
\ief
%random character string%
.tmp This is a non malicious text file with the following content:
•
%visited URL%
–
%TEMPDIR%
\67-41 This is a non malicious text file with the following content:
•
%computer name%
%current date%
%current hour%
%current ip address%
%current username%
%all running processes%
%stolen information%
–
%SYSDIR%
\srsc.dat This file contains collected information about the system.
–
%SYSDIR%
\srsc.le This file contains collected information about the system.
Registry
The following registry key is added in order to run the process after reboot:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• "csrs"="
%SYSDIR%
\csrs.exe"
The following registry key is added:
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
csrs]
• "DllName"="csrs.dll"
• "Asynchronous"=dword:00000000
• "Impersonate"=dword:00000000
• "Lock"="WLELock"
• "Logoff"="WLELogoff"
• "Logon"="WLELogon"
• "Shutdown"="WLEShutdown"
• "StartScreenSaver"="WLEStartScreenSaver"
• "Startup"="WLEStartup"
• "StopScreenSaver"="WLEStopScreenSaver"
• "Unlock"="WLEUnlock"
Email
It doesn't have its own spreading routine but it has the ability to send an email. It is most likely that the receiver is the author. The characteristics are described below:
Email design:
From:
tibianhackr28@yahoo.com
To:
tibianhackr28@yahoo.com
Subject:
Log report of computer
%computer name%
(
%current username%
)
Body:
• SC-KeyLog log report
See attached file(s)...
Attachments:
• IE_Favorites.html(
%TEMPDIR%
\ief
%random character string%
.tmp)
• LogFile.log(
%TEMPDIR%
\67-41)
The email may look like one of the following:
Stealing
It tries to steal the following information:
– It captures:
• Keystrokes
• Window information
File details
Programming language:
The malware program was written in MS Visual C++.
See a brief description
here
.
Description inserted by Iulia Diaconescu on Fri, 17 Mar 2006 16:38 (GMT+1)
Description updated by Andrei Gherman on Tue, 21 Mar 2006 12:39 (GMT+1)
»
About Malware
»
About Phishing
»
Viruses In the Wild
« back
Print this page
TR/Crypt.CFI.Gen
Worm/Mytob.AD
Worm/Kidala.G
Worm/Mytob.BF
Worm/Mytob.AT
DR/Autoit.I.1
TR/Spy.ZBot.DFR
TR/VB.aei
EXP/Java.Gimsh.A.40
TR/Agent.vgo
Get comfortable up to the minute info from Avira as
Detects and removes the following malware and its variants:
Worm/Sober.J
Worm/Sober.P
Worm/Sober.Y
W32/Stanit.A
Worm/NetSky.AA
Worm/NetSky.B.1
Worm/NetSky.C
Worm/Netsky.D.Dam
Worm/NetSky.P
Worm/NetSky.X
Worm/Mytob.IN.2
Worm/Mytob.KS
TR/Spy.Banker.AATZ
TR/Spy.Banker.AATZ.1
TR/Spy.Banker.AATZ.2
TR/Spy.Banker.AATZ.3
Download here
Click
here
to get the panel...
© 2008 Avira GmbH
Copyright
Privacy
Sitemap
Feedback
Imprint
FAQ
Contact
Virus Info TR/Repor.A
Print this page
.gif)
