TROJ_VICEPASS.A

This Trojan targets routers and attempts to log in to all the devices connected to the routers. It pretends to be an Adobe Flash update.

To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Threat Diagram shown below.

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to a website to send and receive information.

It deletes itself after execution.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following component file(s):

• l - contains default and random login names, deleted after execution
• p - contains default and random passwords, deleted after execution

Backdoor Routine

This Trojan connects to the following websites to send and receive information:

• http://{BLOCKED}um.net/index.php

Other Details

This Trojan deletes itself after execution.

NOTES:

This Trojan tries to check the private network IPs: {BLOCKED}2.{BLOCKED}8.[0-6].[0-11] and uses l and p files to try to login using listed login names and passwords respectively.

It also checks for the following strings when accessing the Private network IPs:

• dlink
• d-link
• laserjet
• apache
• cisco
• gigaset
• asus
• apple
• iphone
• ipad
• logitech
• samsung
• xbox

This malware uses the following list of possible user names:

• admin
• Admin
• administrator
• Administrator
• bbsd-client
• blank
• cmaker
• d-link
• D-Link
• guest
• hsa
• netrangr
• root
• supervisor
• user
• webadmin
• wlse

It uses the following list of passwords:

• _Cisco
• 0000
• 000000
• 1000
• 1111
• 111111
• 1111111
• 11111111
• 111111111
• 112233
• 1212
• 121212
• 123123
• 123123Aa
• 123321
• 1234
• 12345
• 123456
• 1234567
• 12345678
• 123456789
• 1234567890
• 1234qwer
• 123ewq
• 123qwe
• 131313
• 159753
• 1q2w3e4r
• 1q2w3e4r5t
• 1q2w3e4r5t6y7u8i9o0p
• 1qaz2wsx
• 2000
• 2112
• 2222
• 222222
• 232323
• 321123
• 321321
• 3333
• 4444
• 654321
• 666666
• 6969
• 7777
• 777777
• 7777777
• 88888888
• 987654
• 987654321
• 999999999
• abc123
• abc123
• abcdef
• access
• adm
• admin
• Admin
• Administrator
• alpine
• Amd
• angel
• asdfgh
• attack
• baseball
• batman
• blender
• career
• changeme
• changeme2
• Cisco
• cisco
• cmaker
• connect
• default
• diamond
• D-Link
• dragon
• ewq123
• ewq321
• football
• gfhjkm
• god
• hsadb
• ilove
• iloveyou
• internet
• Internet
• jesus
• job
• killer
• klaster
• letmein
• link
• marina
• master
• monkey
• mustang
• newpass
• passwd
• password
• password0
• password1
• pepper
• pnadmin
• private
• public
• qazwsx
• qwaszx
• qwe123
• qwe321
• qweasd
• qweasdzxc
• qweqwe
• qwerty
• qwerty123
• qwertyuiop
• ripeop
• riverhead
• root
• secret
• secur4u
• sex
• shadow
• sky
• superman
• supervisor
• system
• target123
• the
• tinkle
• tivonpw
• user
• User
• wisedb
• work
• zaq123wsx
• zaq12wsx
• zaq1wsx
• zxcv
• zxcvb
• zxcvbn
• zxcvbnm