| |
Trile creates the following files in the Windows directory: Trile also creates multiple copies of itself in the directory C:\My Downloads. These names of these files are extremely variable and consist of three parts: Part 1:
- AGE OF SAIL 2
- AGE OF WONDERS
- AIKAQUEST3HENTAI
- AIM ACCOUNT STEALER
- ALIENS VERSUS PREDATOR 2 PRIMAL HUNT
- AUSTERLITZ NAPOLEONS GREATEST VICTORY
- BLACK AND WHITE
- BORLAND DELPHI 6
- BORLAND DELPHI 7
- CABELAS ULTIMATE DEER HUNT 2
- CAT ATTACKS CHILD
- CIVILIZATION 3
- CKY3 – BAM MARGERA WORLD INDUSTRIES ALIEN WORKSHOP
- CLIVE BARKER’S UNDYING
- CLONE CD
- COMANCHE 4
- COMBAT FLIGHT SIMULATOR 3
- CRAZY TAXI
- CRITICAL POINT MANGA GAME TUNE
- DARK AGE OF CAMELOT SHROUDED ISLES
- DEADLY DOZEN
- DSL MODEM UNCAPPER
- DUKE NUKEM MANHATTAN PROJECT
- DWEEBS 2
- ELDER SCROLLS III MORROWIND THX BRRBRR
- EMPEROR RISE OF THE MIDDLE KINGDOM
- EMPIRE EARTH
- FIFA 2003
- FREEDOM FORCE
- GEARHEAD GARAGE
- GLADIATOR
- GLADIATOR
- GRAND PRIX 4
- HALF LIFE BLUE SHIFT
- HALF-LIFE ONLINE
- HALF-LIFE WON
- HARD TRUCK 18 WHEELS OF STEEL
- HITMAN 2 SILENT ASSASSIN
- HOYLE CARD GAMES 2003
- INDUSTRY GIANT 2
- INTERNATIONAL CRICKET CAPTAIN 2003
- INTERNET AND COMPUTER SPEED BOOSTER
- KAZAA SPYWARE REMOVER
- MACROMEDIA DREAMWEAVER MX
- MACROMEDIA FLASH 5.0
- MAFIA
- MICROSOFT OFFICE XP (ENGLISH)
- MORROWIND THX BRRBRR
- MOVIEZCHANNELSINSTALER
- MS TRAIN SIMULATOR
- MS TRAIN SIMULATOR
- MSN PASSWORD HACKER AND STEALER
- NECROMANIA TRAP OF DARKNESS
- NECROMANIA TRAP OF DARKNESS
- NERO BURNING ROM 5.8.0.1
- NEVERWINTER NIGHTS
- NORTON ANTIVIRUS 2002
- NORTON UTILITIES 2002 XP
- PRISONER OF WAR
- QUAKE 3 ARENA
- QUAKE 4 BETA
- RED ACE SQUADRON
- SIMS
- SOLDIERS OF ANARCHY
- SQUAD BATTLES EAGLES STRIKE
- STAR WARS II MOVIE
- STAR WARS STARFIGHTER
- STRIKE FIGHTER PROJECT 1
- STRONGHOLD CRUSADER
- SUDDEN STRIKE 2
- THE EYE OF KRAKEN
- THE NEVERENDING STORY PART I
- THE THING
- TOMB RAIDER 3
- TOMB RAIDER 3
- VALHALLA CHRONICLES
- WARCRAFT 3
- WINDOWS XP
- WINDOWS XP SP1
- WINRAR 3.2
- WINZIP 8.0
- XBOX.INFO
- ZIDANE-SCREENINSTALER
- ZONEALARM FIREWALL Part 2:
It may include the string "ISO –" Part 3:
- MANIA
- KEY GENERATOR.EXE
- FULL DOWNLOADER.EXE
- CRACK.EXE
If the C:\My Downloads directory does not exist, Trile creates it and then copies these files to it. Trile creates the following keys in the Windows Registry: - HKEY_LOCAL_MACHINE\ SOFTWARE\ <security_program> <number> = <email>
Where <security_program> is one of the strings belonging to the security program the worm uses to to end processes, <number> is a self-increasing number, and <e-mail> are the addresses it obtains from the computer on which it is run. - HKEY_LOCAL_MACHINE\ SOFTWARE\ <random_name> email_num
Where email_num is the number of e-mail addresses it has stolen (these addresses could be repeated). - HKEY_LOCAL_MACHINE\ SOFTWARE\ <random_name> Sent
With a value that indicates the number of messages the worm has sent out. - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run AUTOTRACE
- HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run name1 %windir%\ name2.exe
Where name1 and name2 are two random text strings created by the worm.
It does this in order to run every time the computer is started
|
| |
Trile mainly spreads via e-mail and through the P2P (peer to peer) file sharing programs KaZaA and Shareaza. 1- Transmission via e-mail:
Trile reaches computers in a message with the following characteristics: - Subject: One of the following:
Your News Alert!!
New Reading
Membership Confirmation
Cows
Sponsors needed!
Stats
Click on this!
Various!
Bad news!!
New bonus in your cash account!
Free Shipping!
Hi!
Introduction
Correction of errors!
SCAM alert!!!
Wow!
Get 8 FREE issues – no riks!!
History screen!
25 mechants and rising!
Warning!
Please Help...
New Contests!
CALL FOR INFORMATION
$150 FREE Bonus!!
Greets!!
Report
My eBay ads!
Interesting...
I need help about script!!!
Fantastic!
Announcement!
Tools For Your Online Business!
Its Easy!
News
Today Only!!
Just a reminder!
Lost & Found!
Market Update Report!
Its Easy! ing!
Daily Email Reminder!
Empty account!
FSM32
Get a FREE gift!
Payment Notices!
Star Wars II Movie - Message: One of the following:
Attached one Gift for u..
More details attached!
Check the attachment..
Check the attachment!
See the attachment!
Enjoy the attachment!
Hi
Check the attachment..
Hi
Check the attachment..
See u - Attachments: One of the following:
SCREENSAVER
URFRIEND
SCREENSAVERFORU
SCREENSAVER4U
LOVERSCREENSAVER
WERFRIENDS
SHAREIT
SHARELOVE
FRIENDSCR
FRIENDS
LOVESCR
LOVERS
LOVE
FRIENDS4U
LOVERSGANG
CHECKFRIENDS
FREESCREENSAVER
TRUEFRIENDS
TRUELOVERS
LOVE4U
RISHTHA
PASSION
SHAKESCR
FRIENDSEARCH
FRIENDSHIPFORU
GREETINGS
ENJOYLOVE
LOVESHORE
FRIENDSWORLD
These files have a double extension: - One of the following extensions:
GIF, MPG, MP3, XLS, WAV, DAT, JPG, HTM, XLS,TXT, MDB, BMP, DOC or ZIP. - The real extension:
BAT, PIF or SCR.
When it has infected a computer, Trile sends itself out to all the contacts in the Address Book in Outlook. 2- Transmission through KaZaA and Shareaza: In order to spread through KaZaA and Shareaza, Trile follows the routine below: - It creates copies of itself in the default shared directories of KaZaA and Shareaza.
- Other users of these programs will be able to access the directory and download these files. By doing this, users will download the worm to their computers, thinking that they are downloading useful programs, etc.
- When the downloaded file is run, these other computers will be infected by Trile.
|
Last updated:
June 12, 2003