Alias/es

Detection Availability

Visible Symptoms

• Trojan presents a risk only by exposing email addresses to possible attacks by malicious spammers
  
  
• Possible firewall alert that the Trojan is attempting to contact a web site address 'http://graficastrigo.com' - this site does not appear to resolve by DNS resolution at the time of this writing
  
  

Detailed Analysis

This is a minor variant of the W32/Harvester Trojan family.

This Trojan may have been spammed or distributed by malicious users. The purpose of the Trojan is to gather email addresses from the targeted machine and upload these addresses to a web site using a server side script. The Trojan contains email gathering code similar to the Bagle virus and Mitglieder Trojans.

Email Gathering Routine
The Trojan will harvest addresses from the compromised system by searching key data files with these data extensions -

.wab
.txt
.msg
.htm
.shtm
.stm
.xml
.dbx
.mbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.wsh
.adb
.tbb
.sht
.xls
.oft
.uin
.cgi
.mht
.dhtm
.jsp

The Trojan avoids collecting any email address that contains specific strings, matching the following -

rating@
f-secur
news
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelab
winzip
google
winrar
samples
abuse
panda
cafee
spam
pgp
@avp.
noreply
local
root@
postmaster@

When the gathering is complete, the Trojan uploads the data to a web address using a server side script -

http://graficastrigo.com/imagenes/out.php?a=upl

Recommended Action

FortiGate systems:


• check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option
  
  

FortiClient systems:


• Quarantine/Delete infected files detected