Aifone.A
Threat LevelDamageDistribution

Effects 

Aifone.A takes advantage of the recent launch of the iPhone telephone, in order to deceive users.

In order to do so, it follows the routine below:

• It registers itself as a BHO (Browser Helper Object), in order to be run whenever Internet Explorer is run.
• When the users access Apple's official website, which is iphone.com, they are redirected to another website, where this phone can be purchased.
  The false website is the following:
  http://mainstream.sales.online.exclusi<blocked>now.apple.iesecurityupdates.com/
• However, this website has been created by the Trojan and all the information entered by the users in it will be gathered by Aifone.A.

Infection strategy 

Aifone.A creates the following files in the Windows system directory:

• RWERA21S1.DLL, which registers itself as a BHO (Browser Helper Object).
• CONFG.XML, which contains information about the false website.

Aifone.A creates the following entries in the Windows Registry:

• HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Browser Helper Objects\ {AA7F2000-EA05-489d-900C-3C7C0A5497A3}
• HKEY_CLASSES_ROOT\ CLSID\ {AA7F2000-EA05-489d-900C-3C7C0A5497A3}\ InprocServer32
  (Default) = %sysdir%\rwera21s1.dll
  where %sysdir% is the Windows sytem directory.
• HKEY_CLASSES_ROOT\ CLSID\ {AA7F2000-EA05-489d-900C-3C7C0A5497A3}
  (Default) = H

Means of transmission 

Aifone.A does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.

Further Details  

Aifone.A is written in the programming language Visual C++ v6. This Trojan is 28,672 bytes in size.