Trojan Dropper

The last day the S21sec ecrime team came across a new version of the already known Trojan Dropper variant, which counts to one of the most common Trojans found on infected machines.

The trojan installs a keylogger to sniff; and a BHO (Browser Helper Object) for Internet Explorer to be able to inject content into web pages. This content is defined in a configuration file which has drastically changed since the last version we looked at.

Now, the configuration file does not contain any external links to phishing pages anymore. So to injecting content into a web page, the local configuration is used and no external domains need to be contacted.

The actual version creates different files which can mostly found in the %System% folder (c:windowssystem32 in WinXP). The current .dll used as BHO is called jetaccs.dll and can be seen with HijackThis from Trendmicro.

Sniffed data is stored in %System%alog.txt. After restarting the browser this file is send to the c&c server and gets deleted afterward.

Currently, 142 affected sites can be found in the config file. Interesting are also the following entries:


A fast test confirmed the first guess, accounts from gmail don’t get sniffed, whereas account data from e.g. (not found in the configuration file) gets collected. The reason for this exclusion is not clear until now.

To manually disinfect a computer, HijackThis can be used to disable the BHO. %System%jetaccs.dll has to be renamed and can be deleted after a reboot.

Clemens Kurtenbach
S21sec e-crime

Deja un comentario

  • Anónimo 29 October, 2008 a las 11:22 pm Reply

    I am rather amazed about a company that allegedly provides eCrime services makes such a stupid old post. First of all you seem to think that ‘trojan dropper’ is a particular family rather than a generic name given by the AV industry that comprises the family you mention and many other more. Secondly, the family you describe might be as old as the sun itself… one of those typical XML encrypted config BHOs with a very stupid encryption routine. Most researchers call that family nethell/limbo, the stolen data is encrypted with a stupid XOR and saved in alog.txt. Folks, I must really congrtulate you for being so way beyond the rest of researchers in this field, congrats!

  • S21sec e-crime 30 October, 2008 a las 10:40 am Reply

    Hi “anonymous”,
    thanks for your very constructive criticism. I think reading the blog carefully and in a calm moment would clear everything. Anyway.
    First of all yes, this name comes from the AV companies and I use that name. If you want to call it limbo, this is fine for me.
    Secondly, I don’t describe the family. I describe that the people behind recently stopped using external phishing domains for injecting code, and I provide _some_ additional info. Nothing more, nothing less.
    And lastly, thanks for understanding that our blog is for different skilled people.