TROJ_DLOADER.KR
Trojan-Spy.Win32.Zbot.bltn (Kaspersky); Downloader (Symantec); Troj/Bdoor-BCD (Sophos)
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
TECHNICAL DETAILS
54,784 bytes
EXE
No
01 May 2011
Other System Modifications
This Trojan creates the following registry entry(ies) to bypass Windows Firewall:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile
EnableFirewall = "0"
Download Routine
This Trojan saves the files it downloads using the following names:
- %System%\config\zhsuoqpi
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
Other Details
This Trojan connects to the following URL(s) to check for an Internet connection:
- http://google.com/
It connects to the following possibly malicious URL:
- http://{BLOCKED}kynk.{BLOCKED}3.in/t/d2hsdWF3OzJ0OHY5Oj0,cyJtIW8kaUV
yam9zeHk9Tn5DSgIQAkxDUU1bFx0CHQAdCQECHQ
EABwVEDwgCDA0QCnVwcGUlM3tvJjwmJ2VrPC4jbG
J1MiA1PGVpfC4yNC9iUUcDAAcKEwkcVFpcShlTXkNB
REpMR05OT18UGghAT1nk6Oa,tLW_5ri5uru8vb6_oKGiow==/count.htm - http://{BLOCKED}rldmap.com/othersee/out/12.exe
- http://{BLOCKED}bv.cn/stat.php?w=12&i=01d59e4c49689e4c11ac270063626041&a=2
- http://{BLOCKED}bv.cn/update.db
- http://{BLOCKED}f.{BLOCKED}1.in/t/jsotxmIzJ5-kfmsNuygpN/pic.jpg
- http://{BLOCKED}rldmap.com/ldpatch/load.php?pin=009a000000000000
- http://{BLOCKED}rldmap.com/ldpatch/softpatch.php?afid=154
- http://{BLOCKED}bv.cn/stat.php?w=12&i=01d59e4c49689e4c11ac270063626041&a=4
- http://{BLOCKED}bv.cn/stat.php?w=12&i=01d59e4c49689e4c11ac270063626041&a=9
- http://{BLOCKED}bv.cn/stat.php?w=12&i=01d59e4c49689e4c11ac270063626041&a=11
- http://{BLOCKED}f.{BLOCKED}1.in/t/LJMygLNEXc-kfmsNuygpN/pic.jpg
- http://{BLOCKED}selector.us/ea.php?p=1&aid=154
SOLUTION
8.900
8.128.08
01 May 2011
NOTES:
Did this description help? Tell us how we did.