TROJ_DLOADER.KR

 Analysis by: Sabrina Lei Sioting

 ALIASES:

Trojan-Spy.Win32.Zbot.bltn (Kaspersky); Downloader (Symantec); Troj/Bdoor-BCD (Sophos)

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes


  TECHNICAL DETAILS

File Size:

54,784 bytes

File Type:

EXE

Memory Resident:

No

Initial Samples Received Date:

01 May 2011

Other System Modifications

This Trojan creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile
EnableFirewall = "0"

Download Routine

This Trojan saves the files it downloads using the following names:

  • %System%\config\zhsuoqpi

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Other Details

This Trojan connects to the following URL(s) to check for an Internet connection:

  • http://google.com/

It connects to the following possibly malicious URL:

  • http://{BLOCKED}kynk.{BLOCKED}3.in/t/d2hsdWF3OzJ0OHY5Oj0,cyJtIW8kaUV
    yam9zeHk9Tn5DSgIQAkxDUU1bFx0CHQAdCQECHQ
    EABwVEDwgCDA0QCnVwcGUlM3tvJjwmJ2VrPC4jbG
    J1MiA1PGVpfC4yNC9iUUcDAAcKEwkcVFpcShlTXkNB
    REpMR05OT18UGghAT1nk6Oa,tLW_5ri5uru8vb6_oKGiow==/count.htm
  • http://{BLOCKED}rldmap.com/othersee/out/12.exe
  • http://{BLOCKED}bv.cn/stat.php?w=12&i=01d59e4c49689e4c11ac270063626041&a=2
  • http://{BLOCKED}bv.cn/update.db
  • http://{BLOCKED}f.{BLOCKED}1.in/t/jsotxmIzJ5-kfmsNuygpN/pic.jpg
  • http://{BLOCKED}rldmap.com/ldpatch/load.php?pin=009a000000000000
  • http://{BLOCKED}rldmap.com/ldpatch/softpatch.php?afid=154
  • http://{BLOCKED}bv.cn/stat.php?w=12&i=01d59e4c49689e4c11ac270063626041&a=4
  • http://{BLOCKED}bv.cn/stat.php?w=12&i=01d59e4c49689e4c11ac270063626041&a=9
  • http://{BLOCKED}bv.cn/stat.php?w=12&i=01d59e4c49689e4c11ac270063626041&a=11
  • http://{BLOCKED}f.{BLOCKED}1.in/t/LJMygLNEXc-kfmsNuygpN/pic.jpg
  • http://{BLOCKED}selector.us/ea.php?p=1&aid=154

  SOLUTION

Minimum Scan Engine:

8.900

FIRST VSAPI PATTERN FILE:

8.128.08

FIRST VSAPI PATTERN DATE:

01 May 2011

NOTES:


Did this description help? Tell us how we did.