TROJ_EXEDOT.SM

This Trojan may be dropped by other malware. It may be unknowingly downloaded by a user while visiting malicious websites.

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating registry keys/entries.

It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

Arrival Details

This Trojan may be dropped by other malware.

It may be unknowingly downloaded by a user while visiting malicious websites.

Autostart Technique

This Trojan registers itself as a BHO to ensure its automatic execution every time Internet Explorer is used by adding the following registry keys:

HKEY_CLASSES_ROOT\Interface\{986A8AC1-AB4D-4F41-9068-4B01C0197867}

HKEY_CLASSES_ROOT\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}

HKEY_CLASSES_ROOT\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}

HKEY_CLASSES_ROOT\AppID\{A0E1054B-01EE-4D57-A059-4D99F339709F}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}

HKEY_CLASSES_ROOT\AppID\main.DLL

HKEY_CLASSES_ROOT\main.BHO

HKEY_CLASSES_ROOT\main.BHO.1

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

HKEY_CLASSES_ROOT\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}\
InProcServer32
@ = {malware path and file name}.DLL

Download Routine

This Trojan connects to the following URL(s) to download its configuration file:

• {BLOCKED}kzcompile.com
• {BLOCKED}exad.com

It saves the files it downloads using the following names:

• %User Temp%\\{random}.TMP - downloaded file
• %Current%\\{malware name}.sig - possible configuration file

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

Other Details

Based on analysis of the codes, it has the following capabilities:

• This malware connects to URLs to possibly download other malicious files and configuration files.

It does the following:

• It checks and records if the following processes are running in system memory:
• acaas.exe
• acaegmr.exe
• acais.exe
• acals.exe
• acasp.exe
• afmain.exe
• ahnsd.exe
• ahnsdsv.exe
• almon.exe
• alsvc.exe
• aluschedulersvc.exe
• apvxdwin.exe
• ashdisp.exe
• ashmaisv.exe
• ashserv.exe
• ashwebsv.exe
• aswupdsv.exe
• avengine.exe
• avesvc.exe
• avgam.exe
• avgamsvr.exe
• avgas.exe
• avgcc.exe
• avgemc.exe
• avgfws8.exe
• avgnsx.exe
• avgnt.exe
• avgrsx.exe
• avgtray.exe
• avguard.exe
• avgupsvc.exe
• avgwdsvc.exe
• avgwsvc.exe
• avkproxy.exe
• avkservice.exe
• avktray.exe
• avkwctl.exe
• avmailc.exe
• avp.exe
• avpmapp.exe
• avwebgrd.exe
• AxEetucexEllehS
• bdagent.exe
• bdtupdateservice.exe
• caavguiscan.exe
• caglobal.exe
• cagloballight.exe
• capfasem.exe
• cappactiveprotection.exe
• cavrid.exe
• ccenter.exe
• cclaw.exe
• ccprovsp.exe
• ccsvchst.exe
• cctray.exe
• cfgmng32.exe
• consctl.exe
• counterspy.exe
• drwebscd.exe
• dvpapi.exe
• egui.exe
• ekrn.exe
• elogsvc.exe
• emlproui.exe
• emlproxy.exe
• escanmon.exe
• fameh32.exe
• fch32.exe
• fpavserver.exe
• fprottray.exe
• fsaua.exe
• fsav32.exe
• fsavgui.exe
• fsdfwd.exe
• fsgk32st.exe
• fsguidll.exe
• fsm32.exe
• fsma32.exe
• fsmb32.exe
• fsqh.exe
• fssm32.exe
• fsus.exe
• fulltiltpoker.exe
• gdfirewalltray.exe
• gdfwsvc.exe
• guard.exe
• guardxkickoff.exe
• guardxservice.exe
• guardxup.exe
• hfacsvc.exe
• hpcsvc.exe
• hrres.exe
• hsvcmod.exe
• iface.exe
• isafe.exe
• itmrtsvc.exe
• k7emlpxy.exe
• k7fwsrvc.exe