Trojan.Gurepirls

[unitedtt]

Trojan.Gurepirls is a Trojan horse that steals email address and registers the stolen addresses for a pornographic service. The Trojan then prompts the user to pay for access to a pornographic Web site.

Type: Trojan Horse
Infection Length: 1440,054 bytes, 303,104 bytes, 344,064 bytes.

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Discovered on: December 05, 2005

technical details

Once installed, Trojan.Gurepirls performs the following actions:

1. Drops following files:

* %System%\acl.bmp
* %System%\acl.ocx
* %System%\aclservice.exe
* %Windir%\Downloaded Program Files\acl.inf

Note:
* %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
* %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).

2. Creates entries under the following registry subkeys:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\A clService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\AclService

to register itself as the service AclService.

3. Creates following registry subkeys:

HKEY_CLASSES_ROOT\ACL.AclCtrl.1
HKEY_CLASSES_ROOT\AppID\{ADF47FB7-7FE7-4229-BA1F-19C6B7D936A1}
HKEY_CLASSES_ROOT\AppID\AclService.EXE
HKEY_CLASSES_ROOT\CLSID\{1B4066DD-C7E6-426D-BDD5-458954FE51FF}
HKEY_CLASSES_ROOT\CLSID\{A12A4BD2-9A1E-4536-A9C7-202A7F13ADCC}
HKEY_CLASSES_ROOT\Interface\{1D7BA44B-FBB4-4D6F-BC74-0917DAD0C605}
HKEY_CLASSES_ROOT\Interface\{65E32B18-9689-4D58-B891-56E7CE65C6C0}
HKEY_CLASSES_ROOT\TypeLib\{049FD307-FB79-489F-8AB4-4FC73A1F59B5}
HKEY_CLASSES_ROOT\TypeLib\{4FE80730-2A8B-4E96-BF40-D73FE8DAF980}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1B4066DD-C7E6-426D-BDD5-458954FE51FF}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion
\ModuleUsage\C:/WINDOWS/system32/acl.bmp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion
\ModuleUsage\C:/WINDOWS/system32/acl.ocx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion
\ModuleUsage\C:/WINDOWS/system32/aclservice.exe
HKEY_LOCAL_MACHINE\SOFTWARE\puregirls.tv

4. Queries the following registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts

to obtain the following information:

* SMTP Email Address
* SMTP Display Name
* SMTP Server
* POP3 User Name
* POP3 Server

5. Sends the stolen information to [http://]www.puregirls.tv/[REMOVED] and registers the user for a pornographic service.

6. Steals email addresses from the Windows Address Book and sends them to [http://]www.puregirls.tv/[REMOVED].

7. Creates the file C:\Documents and Settings\All Users\Desktop\[puregirls.tv][JAPANSES TEXT].txt

8. Displays the following message in Japanese every 30 seconds asking the user to pay a subscription fee for access to a pornographic Web site: