This detection is for a downloading trojan known to have been spammed to many users on several occasions. The latest of which occured on May 23, 2004 in a message as follows:

--
From: cosmo [[email protected]]
Subject: International Virtual Greetings Center
Body:

Congratulations! You've recieved a postcard from your mom!

"I Sent the Sun"

Picture attached.


========

International Virtual Greetings Center www.freegreetings.com

Attachment: Picture.zip (containing report.pif)
--

May 16, 2004 spamming

From: sales [[email protected]]
Subject: Re: Payment approved (invoce #5997)
Body:

Dear customer! Thank you for shopping with us!

Sales department approved your payment, you will be billed
within 2 days. Shipping UPS ground insured.

See the attached file for details. (report # 5986)

Attachment: REPORT.ZIP (Zip file containing REPORT.EXE)
Other mass mailings include the following message:

From: support ([email protected]) this may change
Subject: Re: item purchase
Body:

Thank you for shopping with us!
See the attached file for details.

Best Regards!

Attachment: DETAILS.ZIP (Zip file containing DETAILS.EXE)

The trojan exists only to download and execute a remote file (path to which is stored in the trojan). Access to the following domains should be blocked at the firewall to prevent the file download:

http://marnet.us
http://animalloversleague.org
http://technalytics.net
When run, it attempts to download this file via HTTP, saving it to the Windows system directory as TEMPFILE.EXE or TMPFILE.EXE

%SysDir%\TEMPFILE.EXE
%SysDir%\TMPFILE.EXE
This file is then executed.

Obviously the exact contents of this file may change. At the time of writing it is a remote access trojan, detection for which is included in Daily Dats as BackDoor-BAC .