Australia's Leading Computer Emergency Response Team

Frequently Asked Questions (FAQ) regarding the "Prime Minister heart attack" Trojan
Date: 22 February 2007
Original URL: https://auscert.org.au/render.html?cid=5&it=7330




What is this all about?

Am I at risk?

Have I been infected?

What can be done to recover?

Where can I get additional information?


What is this all about?

A common computer security threat is malicious software (malware). There are many types of malware, one of which is the Trojan Horse (Trojan), which can be a web site or software that appears to have one harmless function, but really contains additional, malicious functionality. Trojans can be installed by visiting a website, clicking on a link or opening some types of files.

On Monday 19 February 2007 AusCERT received reports of a spam email circulating containing links to malicious web sites, which attempted to install Trojans. There were several variations of spam emails, the prevalent one claiming that the Prime Minister of Australia, John Howard had suffered a heart attack. AusCERT released AusCERT Alert AL-2007.0026 warning of this activity. AusCERT has allocated the code of AUSCERT#200732ef7 to uniquely identify and track this first malicious site and malware.

There was also subsequent similar spam emails, using similar fake news stories, which pointed to other malicious .hk (Hong Kong) websites. While the spam and sites had similarities, the trojan that was installed was different. AusCERT released a (member only) update AU-2007.0006 containing this additional information. AusCERT has allocated the code of AUSCERT#2007ee1ce to uniquely identify and track this second malicious site and malware.

Finally due to additional media attention, AusCERT released the following press release.


Am I at risk?

The spam emails themselves are not malicious and opening them will not cause your computer to become infected. Only by clicking on the links in the spam emails can you potentially be infected with this malware.

The web site and the Trojan were designed specifically to target Microsoft Internet Explorer running on a Windows system. If you use Mac OS X or another operating system you are not vulnerable to this particular Trojan.

The web site used a vulnerability in Internet Explorer (MS06-014) to install the malicious software. If you regularly install patches (using Microsoft Automatic Updates, for example) or operate your system as an unprivileged user, then you are unlikely to have been infected with this malware.

Note that at the time of release, this Trojan was not detected by most anti-virus software. So if you clicked on this link soon after the email arrived in your inbox it is unlikely your AV software would have detected and prevented the infection. However, most AV companies now detect this malware. If the trojan was successfully installed, prior to detection being available, it may have subverted your anti-virus software and you may not be able to detect this infection now. AusCERT recommends contacting your anti-virus technical support, if you are unsure.


Have I been infected?

Anti-virus software may be able to detect and remove an infection. Update your anti-virus definitions and perform a complete system scan. You may also wish to use on online virus scanner. AusCERT is aware of the following online scanners:


The first Trojan (AUSCERT#200732ef7) downloaded 1.exe. This file is known as a "dropper" and created the following files on a standard Microsoft Windows XP system:


C:\2.exe
C:\2.bat
C:\ieschedule.exe

Note that there may be other files downloaded and installed by this trojan that are not listed here.

The second Trojan (AUSCERT#2007ee1ce) downloaded a single executable iexplore.exe. This program then downloaded various other components and created the following files on a standard Microsoft Windows XP system:


C:\WINDOWS\system32\mcert.dll
C:\WINDOWS\system32\msiphelp.dll
C:\WINDOWS\system32\mt_32.dll
C:\WINDOWS\system32\pstore.dll
C:\WINDOWS\system32\taskmang.exe
C:\WINDOWS\system32\winnet.dll
C:\WINDOWS\system32\ws_imod.dll


Note that in both cases the above sets of files did not exist on a standard windows system and if present strongly suggests successful installation of the Trojan. However, if these files are not present on a particular system, it is not a guarantee that the system is not infected.


What can be done to recover?

Once a system has been compromised, it is extremely difficult to guarantee its integrity. The only absolutely effective solution is to format the hard drive and re-install the operating system from the installation CDs. More information on this available in the AusCERT document "Protecting your computer from malicious code" (section "Recovering from an infection").

Some anti-virus software may also be able to remove this malware, however, other infections may still be present on the system.


Where can I get additional information?

Websense have published several alerts relating to this activity:

http://www.websense.com/securitylabs/alerts/alert.php?AlertID=741

http://www.websense.com/securitylabs/alerts/alert.php?AlertID=743


Credits

AusCERT would like to thank Alex Tilley from Suncorp for his assistance in providing this information.