TROJ_OTLARD
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Downloaded from the Internet
OTLARD variants, also known as GOOTKIT, are used primarily to compromise websites with malicious iframe code.
OTLARD performs the aforementioned routine by downloading command modules that contain the target website and its corresponding FTP credentials. The credentials are then used to infiltrate the website.
The OTLARD malware family is also known to drop rootkit components in order to hide its malicious components.
TECHNICAL DETAILS
Yes
Connects to URLs/IPs, Compromises system security, Downloads files
Other System Modifications
This Trojan adds the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{random}
It adds the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM
Randseed_1 = "{hex values}"
HKEY_LOCAL_MACHINE\SYSTEM
Randseed_2 = "{hex values}"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path and filename} = "{malware path and filename}:Enabled:{malware filename}"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{random}
ImagePath = "\SystemRoot\System32\drivers\{random}.sys"
It modifies the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Epoch
Epoch = "84"
(Note: The default value data of the said registry entry is 82.)
Dropping Routine
This Trojan drops the following files:
- %System32\drivers\{random}.sys
Other Details
This Trojan connects to the following possibly malicious URL:
- {BLOCKED}.{BLOCKED}.229.140
- {BLOCKED}n.cc
- {BLOCKED}0.org
- {BLOCKED}8quoob8moh.com
- {BLOCKED}us4nohshiy.com
- {BLOCKED}eshacei2ae.com