TROJ_SHYLOCK.A

This Trojan connects to certain URLs using a specific format. If the connection is successful, it may download another file and execute it, thus also exhibiting its malicious routines. During testing, however, the URLs are already inaccessible.

This Trojan may be unknowingly downloaded by a user while visiting malicious websites.

It connects to certain URLs. It may do this to remotely inform a malicious user of its installation. It may also do this to download possibly malicious files onto the computer, which puts the computer at a greater risk of infection by other threats.

Arrival Details

This Trojan may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This Trojan drops the following copies of itself into the affected system:

• %Application Data%\{random path}\{random name}.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• CRXT
• {randomGUID}MX
• MTX_{randomGUID}

It is injected into the following processes running in memory:

• explorer.exe

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{randomGUID} = %Application Data%\{random path}\{random name}.exe

Other System Modifications

This Trojan adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\BrowserEmulation
TLDUpdates = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\3
1406 = "3"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\3
1609 = "3"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\3
2500 = "3"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
NoProtectedModeBanner = "1"

Download Routine

This Trojan connects to the following malicious URLs:

• {BLOCKED}sadv.cc
• {BLOCKED}at.cc
• {BLOCKED}sphere.cc

NOTES:

{random GUID} is computed from the computer name SID. {random name} is any file name of executable files in the %System% folder as the file name of its dropped copy.

It connects to the abovementioned URLs using the following format:

• {domain}\ping.html
• {domain}\HJ-UK-4.jpg

If the connection is successful, it may download another file and execute it, thus also exhibiting its malicious routines. During testing, however, the URLs are already inaccessible.