TROJ_DLOADE.FBV

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It uses Windows Task Scheduler to create a scheduled task that executes the dropped copy.

It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system:

• %System%\FlashPlayerUpdateService.exe
• %System%\Macromed\Flash\FlashPlayerUpdateService.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

It uses Windows Task Scheduler to create a scheduled task that executes the dropped copy.

Autostart Technique

This Trojan registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\AdobeFlashPlayerUpdateSvc
Type = "20"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\AdobeFlashPlayerUpdateSvc
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\AdobeFlashPlayerUpdateSvc
ErrorControl = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\AdobeFlashPlayerUpdateSvc
ImagePath = "%System%\Macromed\Flash\FlashPlayerUpdateService.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\AdobeFlashPlayerUpdateSvc
DisplayName = "Adobe Flash Player Update Service"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\AdobeFlashPlayerUpdateSvc
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\AdobeFlashPlayerUpdateSvc
Description = "This service keeps your Adobe Flash Player installation up to date with the latest enhancements and security fixes."

It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\AdobeFlashPlayerUpdateSvc

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_ADOBEFLASHPLAYERUPDATESVC

The scheduled task executes the malware at the following period:

• %Windows%\Tasks\AdobeFlashPlayerUpdate.job - executes the malware daily every one hour
• %Windows%\Tasks\AdobeFlashPlayerUpdate 2.job - executes the malware at system startup

(Note: %Windows% is the Windows folder, which is usually C:\Windows.)

Other System Modifications

This Trojan adds the following registry keys as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\AdobeFlashPlayerUpdate

Download Routine

This Trojan accesses the following websites to download files:

• http://{BLOCKED}evaillancourt.sytes.net/attachments/tc.c1

It saves the files it downloads using the following names:

• %User Temp%\{random number}.tmp - BKDR_MEVADE.A

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

NOTES:

It accepts the following parameters:

• /i - installs copies of itself into the system
• /r - registers the dropped copy as a service
• /w - downloads arbitrary file