TROJ_NITOL.EC
DDoS:Win32/Nitol.A (Microsoft), Trojan.Microfake.D (Bitdefender), Win32/Agent.RNS trojan (ESET)
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
47,104 bytes
EXE
11 Sep 2013
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan drops the following file(s)/component(s):
- %User Temp%\SOFTWARE.LOG
- %System%\{random}.exe
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %System% is the Windows system folder, which is usually C:\Windows\System32.)
It drops the following copies of itself into the affected system:
- %System%\hra{random number}.dll
(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)
Other System Modifications
This Trojan adds the following registry entries as part of its installation routine:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Distribuaav
Description = "Distribusda Transaction Coordinator Service"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Distribuaav
Start = "2"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Distribuaav
Type = "10"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Distribuaav
ErrorControl = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Distribuaav
ImagePath = "%System%\{random}.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Distribuaav
DisplayName = "Distribuqxb Transaction Coordinator Service"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Distribuaav
ObjectName = "LocalSystem"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Distribuaav
Description = "Distribusda Transaction Coordinator Service"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_DISTRIBUAAV
NextInstance = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_DISTRIBUAAV\
0000
Service = "Distribuaav"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_DISTRIBUAAV\
0000
Legacy = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_DISTRIBUAAV\
0000
ConfigFlags = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_DISTRIBUAAV\
0000
Class = "LegacyDriver"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_DISTRIBUAAV\
0000
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_DISTRIBUAAV\
0000
DeviceDesc = "Distribuqxb Transaction Coordinator Service"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_DISTRIBUAAV\
0000\Control
*NewlyCreated* = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_DISTRIBUAAV\
0000\Control
ActiveService = "Distribuaav"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Distribuaav\Security
Security = "{random values}"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Distribuaav\Enum
0 = "Root\LEGACY_DISTRIBUAAV\0000"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Distribuaav\Enum
Count = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Distribuaav\Enum
NextInstance = "1"
Process Termination
This Trojan terminates the following processes if found running in the affected system's memory:
- ZhuDongFangYu.exe
Other Details
This Trojan connects to the following possibly malicious URL:
- http://{BLOCKED}6.3322.org/
Mobile Malware Routine
This Trojan opens the following port(s):
- 688