W32/Brepbot.A Trojan

 Virus Information - W32/Brepbot.A Trojan:

W32/Brepbot.A is a trojan. This trojan arrives as a spammed email message and it infects Windows systems.

The subject of the infected mail will be any of the following;

Osama Bin Laden Dead
Osama Found Hanged

The body of the infected mail will be;

Hello,

Osama Bin Ladin was found hanged by two CNN journalists early Monday evening. As evidence they took several photos, some of which we have included here. As yet, this information has not hit the headlines due to Bush wanting confirmation of his identity but the journalists have released some early photos over the internet which can be found attached.

CNN

****************************
The Professional News Team
****************************

The name of the infected attachment will be any one of the following;

article.zip
suspiciousphoto.zip
article+photos.zip
articlephotos.zip
suspectimage.zip
suspectphoto.zip
cctv-footage.zip
article_july_1823.zip
article_july_0077.zip
article_july_1734.zip
article_july_2417.zip
article_july_1726.zip
article_july_8048.zip
article_july_8092.zip
article_july_4409.zip
article_july_4988.zip
article_july_2614.zip
article_july_2865.zip
article_july_5503.zip
article_july_6301.zip
article_july_8477.zip
article_july_8491.zip
article_july_7817.zip
article_july_9935.zip
cctvstill.zip
photo+article.zip
photoandarticle.zip
photos.zip

The zip file contains an executable called Photo and Article.exe.

Upon execution, the trojan copies itself as svchon32.exe in Windows System folder.

The trojan modifies registry at the following location to load itself during each startup.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

The backdoor component of the trojan connects to random ports and allows the remote user to upload, execute and delete files in the victim computer.