;Template Description for Analyst:
;AnalystName: Enter your complete name
;AnalystEMailID: EMail ID of analyst
;Team: Specify team you belong to China, India, Romania or Ukraine
;Date: Define date in dd-mmm-yyy format, when you write or update this description, i.e. 10-JAN-2010
;Type: This should come from malware name, like for Virus.Win32.Virut, Type is Virus
;Platform: This is always fixed as Win32 as of now
;Family: As this description belongs to
;Variant: If you are writing for a specific variant in a family, mention so, like Virus.Win32.Virut.CE
;OVERVIEW: Give a brief overview of malware behavior
;TECHNICAL_DESCRIPTION: Give complete technical description
;SYMPTOMPS: In case system is infected with malware and there are any visible symptomps, which can be identified by end user, mention so, if any
;DISINFECTION: If there are manual steps which user can use to remove malware, like remove certain registry entries or files, should be mentioned here. ; ;http://www.viruslist.com/en/viruses/encyclopedia?virusid=21782790 link's "Removal instructions" can be good example.
;Here are few example links, where other vendors have published information in various
;http://www.symantec.com/security_response/writeup.jsp?docid=2009-020411-2802-99
;http://www.f-secure.com/v-descs/virus_w32_virut.shtml
;http://vil.nai.com/vil/content/v_154029.htm
;http://www.avast.com/eng/win32beagle.html
;http://free.avg.com/ww-en/66558
;http://www.viruslist.com/en/viruses/encyclopedia?virusid=21782790
;This ini file should be filled for every major variant and be attached to related ticket in trac

[INFO]
AnalystName=Vaishnavi.V.K
AnalystEMailID=vaishnavik@comodo.com
Team=India
Date=02-FEB-2010
Type=TrojWare
Platform=Win32
Subtype=
Family=Homa
Variant=A

[OVERVIEW]
This Trojan program downloads and installs malicious programs into the victim machine without user's knowledge and steals banking related sensitive data.

[TECHNICAL_DESCRIPTION]
Registry Values Added:
	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ "win0334.exe" = " Windows system directory (usually, C:\Windows\System32) %System%\win0334.exe" 

Registry Keys Modified:
	HKLM\SOFTWARE\Microsoft\MSSQLServer\Client\SuperSocketNetLib\LastConnect\ "dbsq0010.whservidor.com" = "-1173749750:tcp:dbsq0010.whservidor.com,1433" 

Files Added:
 In %Program Files%
	bck.bck 
	win0334.exe 
	afsys.exe
	dospro.exe
Checks whether the compromised machine has internet connection

Connects to ***10.whservidor.com:39173 

Deletes the dropped file in %Program Files%\bck.bck

[SYMPTOMS]

[DISINFECTION]
Delete following files from %Program Files%
	bck.bck 
	win0334.exe 
	afsys.exe
	dospro.exe