search
close

TROJ_DROPPR.SMAK

October 09, 2012
 Analysis by: kathleenno
 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW


This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It deletes registry entries, causing some applications and programs to not function properly.

It deletes itself after execution.

  TECHNICAL DETAILS

File Size:

Varies

File Type:

EXE

Memory Resident:

No

Initial Samples Received Date:

02 May 2011

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Other System Modifications

This Trojan deletes the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
DhcpNameServer = "{IP address}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
DhcpDomain = "localdomain"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters\
Interfaces\{Network ID}
DhcpNameServer = "{IP address}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters\
Interfaces\{Network ID}
DhcpDefaultGateway = "{hex value}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters\
Interfaces\{Network ID}
DhcpDomain = "localdomain"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters\
Interfaces\{Network ID}
DhcpSubnetMaskOpt = "{hex value}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{Network ID}\Parameters\
Tcpip
DhcpDefaultGateway = "{hex value}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{Network ID}\Parameters\
Tcpip
DhcpSubnetMaskOpt = "{hex value}"

Other Details

This Trojan deletes itself after execution.