Alias:Trojan-PSW.Win32.Lineage.hc (Kaspersky)
Type:Worm 
Size:26.624 bytes 
Origin: 
Date:06-22-2005 
Damage: 
VDF Version:6.31.0.62 
Danger:Low 
Distribution:Low 

General DescriptionAffected Platforms:
*Windows 95
*Windows 98
*Windows ME
*Windows NT
*Windows 2000
*Windows XP
*Windows Server 2003

Technical DetailsTechnical Details*
TR/PSW.Lineage.HC.1 is packed with runtime packer ASPack.
It is able to steal account and password information.
If executed, it creates the following file:
<%sysDIR%>\Syshlp.dll (sizer: 32.768 bytes)
which is detected as TR/PSW.Lineage.HC.2 by AVIRA.

It creates the following registry keys:

[HKEY_CLASSES_ROOT\Interface\{E9F0AA4D -3233-40CF-8033-A02EAAB0BA70}]

[HKEY_CLASSES_ROOT\TypeLib\{0AB57312-F F76-405E-9013-C6244D31AE2D}\1.0]

[HKEY_CLASSES_ROOT\CLSID\{1E6918EA-351 F-4501-A346-2942144DE626}]

[HKEY_CLASSES_ROOT\Syshlp.bho]

[HKEY_CLASSES_ROOT\Syshlp.bho.1\CLSID]

Having these Browser Helper Object registry entries set the trojan can be active in Internet Explorer.

It sends the stolen information to the the following email addresses:
<mailto:koreanlin@tom.com>koreanlin@tom.com
<mailto:koreanhangame@tom.com>koreanhangame@tom.com
<mailto:koreanpmang@tom.com>koreanpmang@tom.com
说明添加者: Crony Walker 打开 2004年6月15日星期二

反馈 . . . .

© 2013 Avira Operations GmbH & Co. KG. 保留所有权利.

我的帐户

https:// 为了你的安全,此窗口已加密。