Home / malwarePDF  

Trojan:Win32/Wisp.A


First posted on 12 March 2010.
Source: SecurityHome

Aliases :

Trojan:Win32/Wisp.A is also known as Trojan.Win32.Cosmu.ons (Kaspersky), BackDoor-EMN (McAfee).

Explanation :

Trojan:/Win32.Wisp.A steals sensitive information from the compromised computer, and allows an attacker to gain unauthorized access to the system in order to perform additional malicious actions, including downloading and executing arbitrary files. This trojan is installed by Trojan:Win32/Wisp.B.
Top

Trojan:/Win32.Wisp.A steals sensitive information from the compromised computer, and allows an attacker to gain unauthorized access to the system in order to perform additional malicious actions, including downloading and executing arbitrary files. This trojan is installed by Trojan:Win32/Wisp.B. In the wild, it has been reported that this trojan has been distributed via malicious web pages that attempt to exploit the vulnerability described by Microsoft Security Advisory 981374. This exploit is detected as Exploit:JS/CVE-2010-0806. Installation Trojan:Win32/Wisp.A is a detection for a DLL that is dropped by Trojan:Win32/Wisp.B, and is loaded from the following file location:

  • %Temp%\wshipl.dll


    • Payload
    Steals system information The trojan contacts a script on the domain "topix21century.com" through HTTPS, and sends sensitive system information such as:
  • Computer name
  • I.P.address
  • Proxy server and port number
    • Backdoor functionality Trojan:Win32/Wisp.A downloads a configuration file that may contain commands instructing the trojan to perform the following actions on the compromised computer:
  • Download files
  • Upload files
  • Execute commands through the command prompt
  • Get a list of processes running on the system
  • Reboot the system
  • Steal passwords
  • Terminate processes
  • Retrieve the RDP listening port number
    • Additional information The trojan creates and deletes a number of files in the %Temp% directory during its execution, using them to store configuration data and other information gathered from the system by the trojan. The trojan may create the following files for this purpose:
  • gnotes.dat
  • pnotes.dat
  • tgnotes.dat
  • tpnotes.dat


    • Analysis by Amir Fouda

    Last update 12 March 2010

     

    TOP

    Malware :

    Family: