TROJ_DROPR.SMY
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Trojan
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This Trojan may be unknowingly downloaded by a user while visiting malicious websites.
TECHNICAL DETAILS
147,455 bytes
EXE
Yes
08 Apr 2011
Drops files
Arrival Details
This Trojan may be unknowingly downloaded by a user while visiting malicious websites.
Installation
This Trojan drops the following files:
- %System%\360sp.dll - detected by Trend Micro as BKDR_FARFLI.SML
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
Autostart Technique
This Trojan registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\6to4
ImagePath = %system%\svchost.exe - netsvcs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\6to4\Parameters
ServiceDll = %system%\360sp.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\6to4\Parameters
ServiceMain = MichaelJackson
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\6to4
Type = 120
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\6to4
Start = 2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\6to4
ErrorControl = 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\6to4
DisplayName = Microsoft Device Manager
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\6to4
ObjectName = LocalSystem
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\6to4
Description = ¼à²âºÍ¼àÊÓÐÂÓ²¼þÉ豸²¢×Ô¶¯¸üÐÂÉ豸Çý¶¯