Trojan:Win32/Whitewell.A is a trojan that allows remote access and control and communicates with remote websites including a user account on the social networking site "facebook.com".
When run, the trojan drops a copy of itself as the following:
The registry is modified to run the trojan at each Windows start.
Adds value: ""MCAFEEIPS
With data: ""%TEMP%\setup.exe
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Disables McAfee firewall service
The trojan attempts to locate and disable the McAfee desktop firewall service named “”. Terminating the service allows the trojan to perform its remote website connection payload.FireSvc.exe
Allows remote access and control
Trojan:Win32/Whitewell.A logs into the social networking website "” using an embedded e-mail address and password. It then parses the notes page, and perform certain actions depending on the following note titles:m.facebook.com
If Facebook access is unsuccessful, Trojan:Win32/Whitewell.A will access another predefined remote domain "” to receive commands.kennethorr.org
All Facebook postings by Win32/Whitewell has the title "L.Simeona".
Analysis by Rodel Finones
the trojan posts a note with the status of the operation and the infected computer's current date and time
the trojan attempts to download an executable file to the %TEMP% folder and execute it
if the operation is successful, the trojan posts a note with the status of the operation and infected system’s current date and time
contacts a remote server and awaits commands from an attacker - depending on the received command, the trojan can perform do the following actions:
“pslist” – retrieves the list of running processes and sends the base64 encoded results to the specified remote address
“pskill” – terminate a certain process
“localpath” – get the path of Win32/Whitewell that is currently running
“http://” - download a file to the %TEMP% folder
“exit” – terminate Win32/Whitewell process and delete the trojan