Trojan.Download.Berbew

Brief Description | Characteristics | Recovery | Protection | Further Information

Brief Description:
--------------------

Trojan.Download.Berbew is a Trojan Horse that affects machines running Windows 95, 98, ME, NT, 2000, and XP. It arrives via an email attachment named either web.da.us.citi.heloc.pif or E-Loan-Appraiser-Results.pif. This Trojan Horse has been spammed to a large number of individuals in an email message claiming to be from Citibank Accounting or E-Loan.com. If executed it will attempt to download and run a backdoor meant to grab passwords and open ports on the infected machine.

Symantec has announced that definitions dated July 16, 2003 or later will detect Trojan.Download.Berbew and Backdoor.Berbew. However, there have been conflicting reports as to whether the definitions from July 16th detect this trojan and backdoor. To account for this we recommend updating your definitions to the July 22, 2003 definitions which can be downloaded from Symantec (choose the .exe download, not the .vdb) or locally. Once you download the executable, run it to install the July 22nd definitions.

Also, the July 23rd, 2003 should release late tomorrow afternoon for LiveUpdate. There have been a few reports of this Trojan appearing on campus so far.

Characteristics:
------------------

The Trojan arrives in an email with one of the following sets of message characteristics with the most prevalent one on campus being the E-Loan spoof.

---------------------------------------------------------
From (spoofed): Citibank Accounting <accounting@web.da.us.citibank.com>
Subject: Re: Your credit application
Attachment: web.da.us.citi.heloc.pif (5,664 bytes)
Message Body:

Dear sir,

Thank you for your online application for a Citibank Home Equity Loan. In order to be approved for any loan application we pull your Credit Profile and Chexsystems information, which didn't satisfy our minimum needs. Consequently, we regret to say that we cannot approve you for Citibank Home Equity Loan at this time.

*Attached are copy of your Credit Profile and Your Application that you submitted with us. Please take a close look at it, you will receive hard copy by mail withing next few days.
---------------------------------------------------------
Or:

From: (spoofed) E-Loan Consumer Department <consumer.support@e-loan.com>
Subject: Re: Your E-Loan Refinance Application Declined
Attachment: E-Loan-Appraiser-Results.pif
Message body:

Dear sir,

Thank you for your recent online Refinance Application with E-Loan Inc.
Apparently you have moved from your current home address a couple of months ago,
so we coulnd't verify your identity with Credit Bureaus and Chexsystems. We are
sorry for any inconvenience. Attached are scanned copies of your Home Value, Grant
Deeds and your current Credit Profile from 3 major Credit Bureaus. Take a close look
at it, as you will receive hard copies by usps mail in few days.
---------------------------------------------------------
Or:

From: (spoofed) Wells Fargo Accounting <wfba.accounting@wellsfargo.com>
Subject: Re: Wells Fargo Bank New Business Account Application - ID# 4489
Attachment: wellsfargo.biz.jsessionid.pif
Message body:

Dear Sir,

Thank you for your online application for a Business Account with Wells Fargo. We appreciate your interest in banking with us.
In order to open a Business Account, we must receive specific credit information that is verifiable. Because Wells Fargo has no locations in your state, we are unable to confirm the credit information in your application. Consequently, we regret to say that we cannot open an account for your business at this time.

Attached are your Wells Fargo Application and your Social Security File.

Sincerely,
Sherli Chin
Business Resource Center Services
Wells Fargo Bank
---------------------------------------------------------

When the Trojan Horse attachment is executed, it will do the following:

-- Download Backdoor.Berbew from the Internet and save it as %System% \Rtdx32.exe.
-- Run Backdoor.Berbew

When Backdoor.Berbew is run, it will do the following.

-- Create the mutex "Webber10_" to make sure it runs in a single instance.

-- Drop itself as %System%\<random filename>.exe. The <random filename> consists of eight random letters. It may also consist of six random letters with the string "32" appended. The first letter is a capital.
For example, it may drop itself as %System%\Gmhhoj32.exe or %System%\Djbpnoof.exe.

-- Drop the file, %System% <random filename>.dll. The <random filename> is generated by the same rules as the dropper's name. The size of the .dll file is 5,633 bytes, and Symantec products detect it as Backdoor.Berbew. Backdoor.Berbew uses the .dll file to launch the Backdoor.Berbew executable.

-- Create the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{79FA9088-19CE-715D-D85A-216290C5B738}\InProcServer32

so that the Trojan runs when you start Windows.

-- Create the (Default) value in the aforementioned registry key and sets to the dropped .dll filename.
For example, the Trojan may set the default value to %System%\Oikenhgi.dll.

-- Create the value:
"ThreadingModel"="Apartment"

in the aforementioned registry key.

-- Create the value:
"Web Event Logger"="{79FA9088-19CE-715D-D85A-216290C5B738}"

in the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

so that the .dll file is loaded when you start Windows. Backdoor.Berbew patches the contents of the dropped .dll file by writing its own filename into it so that the .dll file knows the name of the Backdoor.Berbew executable file and can then run it.

-- Read data that is appended to it, decrypts it, and uses it as its own configuration data. The configuration data may include the port numbers that the backdoor uses, the URL to other configuration files, the URL to submit the system information and intercepted data, and so on.

-- Attempt to obtain an access to the password cache that is stored on the local computer. The cached passwords include modem and dial-up passwords, URL passwords, share passwords, and others.

The Trojan may use the following files to log the passwords and to store downloaded configuration data:

%System%\NtXgl16.dat
%System%\NtXgl16.vxd
%System%\NtXgl16.sys

-- Enumerate active windows and attempts to intercept any entered data. Also, it intercepts the contents of the clipboard. The Trojan may also target Internet bank accounts to steal login details.

To effectively intercept entered data, the Trojan wants a user to specifically enter the login details. For this purpose, it attempts to disable password caching and to disallow Autocomplete, by setting the following registry values:

"FormSuggest Passwords"="yes"
"FormSuggest PW Ask"="yes"
"Use FormSuggest"="yes"

in the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

-- Open ports that are specified in its appended configuration data and listens on them for incoming connections. The port numbers may vary. The sample available at the time of the Backdoor.Berbew analysis contained the port numbers 7714 and 8546.

Recovery:
-----------

Because Trojan.Download.Berbew installs a backdoor, we strongly recommend that infected machines be formatted. If you choose not to format the machine, you can try the following.

-- Restart your computer in Safe mode or VGA mode.
-- Disable System Restore (Windows Me/XP).
-- Update the virus definitions.
-- Run a full system scan and delete all the files detected as Backdoor.Berbew or Trojan.Download.Berbew.
-- Delete the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{79FA9088-19CE-715D-D85A-216290C5B738}\InProcServer32

Protection:
------------

Symantec has announced that definitions dated July 16, 2003 or later will detect Trojan.Download.Berbew and Backdoor.Berbew. However, there have been conflicting reports as to whether the definitions from July 16th detect this trojan and backdoor. To account for this we recommend updating your definitions to the July 22, 2003 definitions which can be downloaded from Symantec (choose the .exe download, not the .vdb) or locally. Once you download the executable, run it to install the July 22nd definitions. Instructions on how to update NAV definition files are located at:

http://www.upenn.edu/computing/help/doc/virus/nav/winnavupdate.html

Further information:
-----------------------

Further information on Trojan.Download.Berbew and Backdoor.Berbew can be found at:

http://securityresponse.symantec.com/avcenter/venc/data/trojan.download.berbew.html
http://www.europe.f-secure.com/v-descs/webber.shtml
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_REBBEW.A
http://vil.mcafee.com/dispVirus.asp?virus_k=100487
http://www.sophos.com/virusinfo/analyses/trojwebbera.html



Information Systems and Computing University of Pennsylvania Comments & Questions