[virusinfo] Troj/Lineage-O

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Tue, 07 Jun 2005 14:39:23 -0700

From; Sophos Alert System:

Name: Troj/Lineage-O
Aliases: PWSteal.Lineage, Trojan-Downloader.Win32.Delf.nd, PWS-Lineage.dll
Type: Trojan
Date: 7 June 2005

Sophos has issued protection for Troj/Lineage-O.

At the time of writing, Sophos has received a small number of
reports of this Trojan from the wild.

Customers using EM Library, Enterprise Console, PureMessage or
any of our Sophos small business solutions will be automatically
protected at their next scheduled update.


Information about Troj/Lineage-O can be found at:
http://www.sophos.com/virusinfo/analyses/trojlineageo.html

Troj/Lineage-O is a password stealing Trojan for the Windows platform that 
attempts to steal passwords associated with the game called "Lineage" and 
"Lineage II". 
Troj/Lineage-O will copy itself to the Windows system folder as explorer.exe. 
Troj/Lineage-O will also create a DLL in the Windows system folder named 
htdll.dll (also detected as Troj/Lineage-O). 
Troj/Lineage-O searches for the "Lineage","Lineage Windows Client" and "Lineage 
II" windows in attempt to initiate a keylogging routine. Collected information 
is sent to a remote user via email. 
In order to run automatically each time a user logs on, Troj/Lineage-O sets the 
registry entry: 
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<Windows system folder>\explorer.exe 
Troj/Lineage-O will attempt to disable a number of anti-virus and security 
related processes and windows, including: 
EGHOST.EXE
MAILMON.EXE
KAVPFW.EXE
IPARMOR.EXE
RavMon.exe
ZoneAlarm 
Troj/Lineage-O may also attempt to download and execute files from the 
internet. 
 

The Troj/Lineage-O virus identity file (IDE) includes detection for:


Troj/StartPa-GS
http://www.sophos.com/virusinfo/analyses/trojstartpags.html
W32/Sdbot-ZF
http://www.sophos.com/virusinfo/analyses/w32sdbotzf.html
W32/Rbot-AEU
http://www.sophos.com/virusinfo/analyses/w32rbotaeu.html
W32/Rbot-AET
http://www.sophos.com/virusinfo/analyses/w32rbotaet.html
Troj/Dermon-A
http://www.sophos.com/virusinfo/analyses/trojdermona.html
Troj/Proxmeg-A
http://www.sophos.com/virusinfo/analyses/trojproxmega.html
W32/Rbot-AEW
http://www.sophos.com/virusinfo/analyses/w32rbotaew.html
Dial/Plygam-A
http://www.sophos.com/virusinfo/analyses/dialplygama.html

Customers with 3.xx or lower versions of Sophos Anti-Virus, 
who are not running EM Library, can manually download the IDE
for Troj/Lineage-O from:

http://www.sophos.com/downloads/ide/lineag-o.ide

Read about how to use IDE files at
http://www.sophos.com/support/knowledgebase/article/363.html


*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] Troj/Lineage-O

1. Home
2. virusinfo
3. Archive
4. 06-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---