W32.Tuoba.Trojan


Aliases: N/A
Variants: N/A

Classification: Malware
Category: Trojan Horse

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Hard
Platform: W32
Discovered: 15 Mar 2004
Damage: Low

Characteristics: The W32.Tuoba.Trojan application utilizes the exploit of Internet Explorer to add a server on the web to the internet zone and to re-route the traffic of the network to that server.

More details about W32.Tuoba.Trojan

When this Trojan Horse was executed, Run.exe adds the 213.159.118.226 to the Intranet local zone from the Internet Explorer using the modified values in the key of the registry. The requests will be redirected to particular Web sites using the 213.159.118.226 address. This was being done by overwriting the File of the Hosts. The lines added to the file will appear to the aimed web sites the 213.159.118.226 freshvideogals.com, 213.159.118.226 auto.ie.searchforge.com, 213.159.118.226 allneedsearch.com, 213.159.118.226 find.microgirls.com, 213.159.118.226 link.startmake.com, 213.159.118.226 best.royalsearch.net, 213.159.118.226 in.webcounter.cc, 213.159.118.226 aifind.info, 213.159.118.226 default-homepage-network.com, 213.159.118.226 www.2fastsearch.net, 213.159.118.226 www.couldnotfind.com, 213.159.118.226 tits.hardcore4ever.net, 213.159.118.226 www.alfa-search.com, 213.159.118.226 www.dreamwiz.com, 213.159.118.226 www.omega-search.com, 213.159.118.226 nativehardcore.com, etc.

When the W32.Tuoba.Trojan was installed when user visits a Web page that is malicious. The we b page utilizes exploit of the Internet Explorer so it can perform the file .php that is a CHM malicious file. The Content.php have three files which are the Index.html, Htm2chm_about, and Htm2chm_explorer. The Index.html utilizes the exploit of the Internet Explorer on downloading file, Run.exe to the Program of the Drive C and then performs it. XMLid.Exploit was the file being detected. The Htm2chm_about is not totally malicious. Htm2chm_explorer is also not a malicious. The additional lines added to the file that will appear to the web sites targeted are 213.159.118.226 aifind.cc, 213.159.118.226 awebfind.biz, 213.159.118.226 find4u.net, 213.159.118.226 itseasy.us, 213.159.118.226 searchmyrequest.com, 213.159.118.226 www.008i.com, 213.159.118.226 search.ieplugin.com, 213.159.118.226 qwertysearch123.biz, 213.159.118.226 just.find-itnow.com etc.