Trojan Characteristics

PSW.Boobs is not self-replicating, giving it it's trojan status. It gets replicated by users who voluntarily e-mail it to colleagues and co-workers. The BOOBS.EXE file is 212480 bytes in length. When the trojan gets executed, it will display a picture of a nude woman, with a button below the picture labeled 'Click Here'. If the user clicks on the 'Click Here' button, the picture is then animated.

Payload

Once the user has clicked on the 'Click Here' button, the trojan will scan the user's hard disk for all .DOC files, and create a log file of that information. The log file is called WSTMP.$$$. On subsequent executions of the trojan, if the WSTMP.$$$ file already exists, the dialog box mentioned above is not displayed. The trojan also creates an empty file on the root of the C: drive called TMP.$$$.

After the computer has been rebooted, the trojan will take over and attempt to send all .DOC files listed in the WSTMP.$$$ file to the following e-mail address: pearcem@sacs.co.za

Since the trojan sends the e-mail directly and not through a separate mail client, detection may be difficult. The e-mails sent out contain the following subject line: NBS As Requested

Detection

Detection of this trojan is done by searching for the BOOBS.EXE file on a user's hard disk. It may also be done if logging has been enabled on a firewall.

Note that the file name BOOBS.EXE may be changed. You can also look for the WSTMP.$$$ and TMP.$$$ files on the user's system as a sign of infection.

Manual Removal Instructions

The BOOBS.EXE file must be removed from DOS, and not Windows. The trojan blocks Windows from deleting it. Deletion of the BOOBS.EXE file is sufficient to eradicate the trojan from a user's system.

It may also be possible to block the e-mail address that the trojan uses at the firewall level. Contact your firewall vendor or the documentation for your product for instructions on how to do this. This will not stop the spread of the trojan, but it will
stop the data theft.

Point of Interest

This trojan is one of the few that does not copy itself to the \WINDOWS or \WINDOWS\SYSTEM directories. It will remain in the directory in which it was originally run on a particular system.