BrowserModifier:Win32/Iedown is a data stealing Trojan. This threat may arrive as an attachment to an e-mail message, disguised as a complaint against the recipient of the message that has been filed with the U.S. Department of Justice (US DOJ).
The e-mail message is spoofed to make it appear to have originated from a 'usdoj.gov' domain. Below is a text from a spammed e-mail message that may contain the attachment:
To: [e-mail address]
From: US Department of Justice [complaintscenter @ usdoj.gov]
Subject: Complaint Update for %Recipient name%, %Company name% (Case id: #2F0E14)
Body:
Dear %Recipient name% ,
A complaint has been filled against the company you are affiliated to ( %Company Name% ) in regards to the domain of business activity.
The complaint was filled by Mr. Harry Johnson on 12/01/2007 and has been forwarded to us and the IRS . Complaint Case Number: #2F0E14 Date: 12/01/2007
A copy of the original complaint and the contact information of Mr. Harry Johnson has been attached to this e-mail.Please print and keep this copy for your personal records.
Disputes involving consumer products and/or services may be arbitrated. Unless they directly relate to the contract that is the basis of this dispute, the following claims will be considered for arbitration only if all parties agree in writing that the arbitrator may consider them:
Claims based on product liability;
Claims for personal injuries;
Claims that have been resolved by a previous court action, arbitration, or written agreement between the parties. The decision as to whether your dispute or any part of it can be arbitrated rests solely with the US Department of Justice.
The Department of Justice offers a binding arbitration service for disputes involving marketplace transactions. Arbitration is a convenient, civilized way to settle disputes quickly and fairly, without the costs associated with other legal options.
Installation
If the attached file 'complaint.scr' is run, it drops a Web browser helper object (BHO) in the form of a dynamic link library (DLL) named 'C:\xp2007.dat'. Next, the dropper registers this DLL using REGSRV32.EXE, creating the following registry entries within the hive HKEY_LOCAL_MACHINE\Software:
..\{13C5F3C6-22C0-45B5-8CA2-FF04A152706E}
"1" = "êõô×s`9"
..\Classes\CLSID\{13C5F3C6-22C0-45B5-8CA2-FF04A152706E}
"(default)" = "0"
..\Classes\CLSID\{13C5F3C6-22C0-45B5-8CA2-FF04A152706E}\InprocServer32
"(default)" = "c:\xp2007.dat"
This threat will then run as a BHO when the Web browser Internet Explorer is launched.
Payload
This Trojan may be used to steal user's personal information such as electronic banking logon details and other passwords. It gathers personal information such as session cookies, URL cache, and application window messages. This Trojan installs a system wide hook to record application messages.
Win32/Iedown may send gathered information to IP address 203.223.159.229.
