TROJ_RAMDO.JER

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It deletes the initially executed copy of itself.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system:

• %Application Data%\Adobe\acupx217.dll

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It adds the following processes:

• %Program Files%\iexplore.exe
• %Windows%\winhelp32.exe

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).. %Windows% is the Windows folder, which is usually C:\Windows.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Global\{GUID}iU-ffffffff

It injects codes into the following process(es):

• %Windows%\winhelp32.exe
• %Program Files%\iexplore.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

Autostart Technique

This Trojan drops the following file(s) in the Windows User Startup folder to enable its automatic execution at every system startup:

• %User Startup%\EPUHelp.exe

(Note: %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup.)

Other System Modifications

This Trojan deletes the following files:

• %User Profile%\Cookies\index.dat
• %User Profile%\Cookies\* - All cookie files

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It adds the following registry entries as part of its installation routine:

HKEY_CURRENT_USER\SOFTWARE\Adobe\
Acrobat Reader\10.0\IPM
iTestPropulsion = "{encrypted values}"

HKEY_CURRENT_USER\SOFTWARE\Adobe\
Acrobat Reader\10.0\IPM
iTestShears = "{encrypted values}"

Backdoor Routine

This Trojan connects to the following URL(s) to send and receive commands from a remote malicious user:

• http://{randomly generated domain}.org/

It posts the following information to its command and control (C&C) server:

• GUID
• OS version
• Adobe Flash version
• Virtual machine status

Other Details

This Trojan connects to the following URL(s) to check for an Internet connection:

• http://www.google.com/

It deletes the initially executed copy of itself

NOTES:

This Trojan creates another instance of an existing process and modifies the entrypoint code of the process to execute the following component:

• %Application Data%\Adobe\acupx217.dll

It searches for the following loaded DLLs and attempts to unload them:

• UMEngx86.dll - (Norton AV product component)
• wl_hook.dll - (Agnitum Firewall product component)

It sets the attribute of the following file to Encrypted:

• %User Startup%\EPUHelp.exe

It checks the following registry entry for the strings VMWARE,VBOX, and VIRTUAL to determine if it is running under virtual environment:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum

It scans the following registry entries to determine the Adobe Flash version installed on the system:

HKEY_LOCAL_MACHINE\software\classes\clsid\{d27cdb6e-ae6d-11cf-96b8- 444553540000}

HKEY_LOCAL_MACHINE\software\macromedia\flashplayeractivex

It uses the following URL as referrer to access the site where it generates its click-fraud:

• http://{BLOCKED}litter.com/

It uses the advertisements from the following IP address for its click-fraud routine:

• {BLOCKED}.{BLOCKED}.193.11

It deletes all URL cache entries contained in the following file if it fails to delete the file itself:

• %User Profile%\Cookies\index.dat

It hooks the following APIs to hide its click-fraud routine:

• CoCreateInstance
• DialogBoxIndirectParamAorW
• GetCursorPos