TekWarrior- To Protect And Inform The Public

Free Web Hosting Provider - Web Hosting - E-commerce - High Speed Internet - Free Web Page

Main office

Home
Message board
Tech board

News Room

Breaking News
Recent Stories

Security Fortress

Security Home
Virus Central

Bug Alert

Bug Alert Home
Latest Bugs& Patches

Download Center

Latest Downloads
Browser & Add-ons
Compression
E-Mail
Financial
Graphics
Internet
Misc
Multimedia
PC Accelerators
Security/Antivirus
Utilities
Web Accelerators

Reviews

Software Reviews
Hardware Reviews
Miscellearnous Reviews

Site Resources

Archives
FAQ
Staff & Contact
Support Team

Virus Central - The Place for Virus Info

Win32/Platan.Trojan

Win32/Platan.Trojan (Also known as Win32.PWS.Platan and IExpand.Trojan) A network-oriented, password stealing Trojan Horse that emails the victim's passwords and other personal data to its writer. Platan has been seen in the field and it has been distributed as the file "iexpand.exe". When it is first run, Platan modifies the registry so it will run at subsequent startups and logins by setting the "iexpand" value of the key HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsCurrentVersion\Run To the user who runs "iexpand.exe", nothing will appear to happen and no new processes will show up in the standard Windows Task List. However, as Platan runs as a service process, it will be running as a "hidden" background process. From here, Platan deletes "C:\WINDOWS\REGEDIT.EXE" and "C:\WINDOWS\SYSTEM\MSCONFIG.EXE" and copies the original installation file to "C:\WINDOWS\SYSTEM\IEXPAND.EXE" then deletes the original. In an attempt to allay suspicions about the new IEXPAND.EXE in the Windows system directory, the file's date- and time-stamps are set the same as those of the core Windows system file KERNEL32.DLL. Apart from this, Platan waits for dial-up networking connections. When one is made, Platan uses its own code to send an email message, presumably to its writers. The message contains various details about the host machine and its current user, such as the CPU type, OS version, OS registered username and organization, user details from ICQ, IP address, ISP phone number, ISP account name and password, modem type, default Internet Explorer home page and a few more. The email message is sent directly by Platan attempting to connect to mail.ru and uses Platan's own SMTP message sending routine so it does not depend on a particular email program or standard email interface (such as MAPI) being installed. These messages are addressed to four accounts - PlatanA, PlatanB, PlatanC, and super_pass. This password stealing Trojan has not been thoroughly analyzed - it is conceivable that it can be used to install further malicious software such as network backdoors, Remote Access Trojans, etc. If so, details of your machine, likely network bandwidth available to you and similar information is in the hands of your attacker before they plan this part of their attack. Further, they may have access to network resources from your ISP in your name, using the account names and passwords Platan collects for them.To cure an infected system, if necessary, restore RegEdit.Exe from another system running the same version of Windows, delete the registry value mentioned above, reboot your system, and delete all executables reported as Win32/Platan.Trojan.

Network

TekWebNetwork
Tekzone
Tekwarrior
TekWebDesign

Join Network:

Quick Bar

File of the week

IE 5.5

Free file

AdSubtract 1.66 SE

Beta releases

Paint Shop Pro 7 Beta

New releases

WinZip 8.0