PHER


 ALIASES:

Nirava

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet


The PHER family of Trojans arrive as downloaded files from malicious sites. Its main purpose is to download other files on an affected system. The downloaded files are used to either steal information or cause system damage.

  TECHNICAL DETAILS

File Size:

Varies

Memory Resident:

Yes

Payload:

Connects to URLs/IPs, Downloads files

Installation

This Trojan drops the following copies of itself into the affected system:

  • %Program Files%\mcmst\{malware name}.exe
  • %Program Files%\{malware name}.exe

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

It creates the following folders:

  • %Program Files%\mcmst

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{malware name}.exe = "%Program Files%\mcmst\{malware name}.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{malware name}.exe = "%Program Files%\{malware name}.exe"

Other System Modifications

This Trojan adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\mcmst
date = "{date of execution}"

HKEY_LOCAL_MACHINE\SOFTWARE\sink
inchk = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\sink
"" =

HKEY_LOCAL_MACHINE\SOFTWARE\sink
inchkter = "1"

HKEY_LOCAL_MACHINE\SOFTWARE
inchk = "1"

HKEY_LOCAL_MACHINE\SOFTWARE
date = "{date executed}"

It adds the following registry keys as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\mcmst

HKEY_LOCAL_MACHINE\SOFTWARE\sink

Other Details

This Trojan connects to the following possibly malicious URL:

  • http://{BLOCKED}r.com/
  • http://www.{BLOCKED}r.com/
  • http://{BLOCKED}buri.kr/ver/pver.php