|  | ||||||||||||||||||||||||||||||||
Name: Ortyc.Trojan
Aliases: Ortyc,Cytron Variants: Type: Trojan Platforms: Windows 32-bit Status: in the wild Threat: V-CON 1 (low) The following has been derived from information provided by Computer Associates and Symantec. Virus Characteristics Ortyc.Trojan will arrive as an email message stating you have received an eCard. Clicking on the link will open the following web page and a prompt to install the e-card viewer: http://www.surprisecards.net/viewcard.htm The web page contains a graphic with the following text: "You have received an e-card Click here to open E-card viewer plug-in may be required to view some e-cards" If installed the software will download a file named "E-CARD.CAB", which contains and installs a dynamic link library (DLL). This file can be any of the following: SEC.DLL POTD.DLL BURNABY.DLL This DLL is installed as a browser helper object (BHO). The following registry key are created: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects HKEY_LOCAL_MACHINE\Software\POTD HKEY_CURRENT_USER\Software\POTD HKEY_CURRENT_USER\Software\POTD\POTD Helper HKEY_LOCAL_MACHINE\Software\Classes\3750BFA3-1392-4AF3-AF86-9D2D4776E5A4 HKEY_CLASSES_ROOT\Burnaby.TargetingSource HKEY_CLASSES_ROOT\Burnaby.TargetingSource.1 HKEY_CLASSES_ROOT\CLSID\{3750BFA3-1392-4AF3-AF86-9D2D4776E5A4} When your browser is restarted, the BHO is loaded and the file TROP.XML is downloaded from two pre-defined web sites. This file contains a list of pornographic popups to open, and key words to look for. When you browse a web site that contains any of the key words in the list, it displays the pornographic popups. Payload Several popup advertisements appear whenever the user starts his browser, or browses to a site containing predefined key words. Preventative Measures Do not install the software to your computer. Block the following Uniform Resource Locator (URL) where possible: http://www.surprisecards.net Detection Available Network Associates: Minimum DAT: 4228 Release Date: 10/09/2002 Minimum Engine: 4.1.60 Symantec: Virus Definitions (Intelligent Updater) October 25, 2002 Virus Definitions (LiveUpdate) October 30, 2002 < - Virus Information Index - >
| | |||||||||||||||||||||||||
