TROJ_INJECT.OJ

 Analysis by: Cris Nowell Pantanilla

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows 7

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

However, as of this writing, the said sites are inaccessible.

  TECHNICAL DETAILS

File Size:

20,480 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

08 Apr 2009

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system:

  • %System%\Cpl32ver.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Cpl32ver = "%System%\Cpl32ver.exe"

Other Details

This Trojan connects to the following possibly malicious URL:

  • {BLOCKED}.{BLOCKED}.55.50
  • {BLOCKED}.{BLOCKED}.194.240
  • {BLOCKEd}.{BLOCKED}.56.22

However, as of this writing, the said sites are inaccessible.