TROJ_RECSLURP.UIT

This Trojan arrives as attachment to mass-mailed email messages. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It does not have any backdoor routine.

It does not have any information-stealing capability.

It connects to certain websites to send and receive information.

Arrival Details

This Trojan arrives as attachment to mass-mailed email messages.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system and executes them:

• %System%\csrss.exe
• %System%\rundll32.exe
• %System%\svchost.exe
  or
  
• %Application Data%\csrss.exe
• %Application Data%\rundll32.exe
• %Application Data%\svchost.exe

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Global\{GUID}
• Local\{GUID}

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{Registry ValueName} = "%Application Data%\csrss.exe" or "%System%\csrss.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{Registry ValueName} = "%Application Data%\rundll32.exe" or "%System%\rundll32.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{Registry ValueName} = "%Application Data%\svchost.exe" or "%System%\svchost.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Microsoft Windows = "{Malware's path}\{malware filename}.exe" ← if it fails to drop any copies

Other System Modifications

This Trojan adds the following registry entries:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Software\Microsoft\Shared Police
MachineParamCPUU = "{hex data}"

HKEY_CURRENT_USER\Software\Microsoft\
Software\Microsoft\Shared Police
MachineParam = "{hex data}"

Propagation

This Trojan does not have any propagation routine.

Backdoor Routine

This Trojan does not have any backdoor routine.

Information Theft

This Trojan does not have any information-stealing capability.

Other Details

This Trojan connects to the following URL(s) to check for an Internet connection:

• plus.smtp.mail.yahoo.com
• smtp.gmail.com

It connects to the following website to send and receive information:

• {BLOCKED}.{BLOCKED}..147.95
• {BLOCKED}.{BLOCKED}..213.8
• {BLOCKED}.{BLOCKED}.220.164
• {BLOCKED}.{BLOCKED}.169.175
• {BLOCKED}.{BLOCKED}.77.9
• {BLOCKED}.{BLOCKED}.131.131
• {BLOCKED}.{BLOCKED}.112.136
• {BLOCKED}.{BLOCKED}.112.139
• {BLOCKED}.{BLOCKED}.68.219
• {BLOCKED}.{BLOCKED}.187.116
• {BLOCKED}.{BLOCKED}..188
• {BLOCKED}.{BLOCKED}.138.246
• {BLOCKED}.{BLOCKED}.68.138
• {BLOCKED}.{BLOCKED}.95.18
• {BLOCKED}.{BLOCKED}.37.97
• {BLOCKED}.{BLOCKED}.177.158
• {BLOCKED}.{BLOCKED}.10.131
• {BLOCKED}.{BLOCKED}.235.66
• {BLOCKED}.{BLOCKED}.145.130
• {BLOCKED}.{BLOCKED}.151.130
• {BLOCKED}.{BLOCKED}.209.182
• {BLOCKED}.{BLOCKED}.29.125
• {BLOCKED}.{BLOCKED}.89.154
• {BLOCKED}.{BLOCKED}.176.101
• {BLOCKED}.{BLOCKED}.242.108
• {BLOCKED}.{BLOCKED}.192.179
• {BLOCKED}.{BLOCKED}.87.47
• {BLOCKED}.{BLOCKED}.109.163
• {BLOCKED}.{BLOCKED}.244.234
• {BLOCKED}.{BLOCKED}.32.221
• {BLOCKED}.{BLOCKED}.46.52
• {BLOCKED}.{BLOCKED}.143.253
• {BLOCKED}.{BLOCKED}.187.95
• {BLOCKED}.{BLOCKED}.154.79
• {BLOCKED}.{BLOCKED}.88.20
• {BLOCKED}.{BLOCKED}.57.89
• {BLOCKED}.{BLOCKED}.254.44
• {BLOCKED}.{BLOCKED}.52.10
• {BLOCKED}.{BLOCKED}.213.139
• {BLOCKED}.{BLOCKED}.208.64
• {BLOCKED}.{BLOCKED}.145.90
• {BLOCKED}.{BLOCKED}.234.251
• {BLOCKED}.{BLOCKED}.104.51
• {BLOCKED}.{BLOCKED}.26.16
• {BLOCKED}.{BLOCKED}.218.87
• {BLOCKED}.{BLOCKED}.222.149
• {BLOCKED}.{BLOCKED}.98.84
• {BLOCKED}.{BLOCKED}.228.174
• {BLOCKED}.{BLOCKED}.200.29
• {BLOCKED}.{BLOCKED}.191.74
• {BLOCKED}.{BLOCKED}.0.140
• {BLOCKED}.{BLOCKED}.15.41
• {BLOCKED}.{BLOCKED}.138.132
• {BLOCKED}.{BLOCKED}.130.70
• {BLOCKED}.{BLOCKED}.132.6
• {BLOCKED}.{BLOCKED}.78.252
• {BLOCKED}.{BLOCKED}.103.16
• {BLOCKED}.{BLOCKED}.167.132
• {BLOCKED}.{BLOCKED}.24.102
• {BLOCKED}.{BLOCKED}.26.179
• {BLOCKED}.{BLOCKED}.229.141
• {BLOCKED}.{BLOCKED}.78.140
• {BLOCKED}.{BLOCKED}.219.110
• {BLOCKED}.{BLOCKED}.250.1
• {BLOCKED}.{BLOCKED}.226.142
• {BLOCKED}.{BLOCKED}.33.20

NOTES:

{Registry ValueName} are any of the following:

• Service Host Process for Windows
• Host-process Windows (Rundll32.exe)
• Client Server Runtime Process

It tries to replace the following system files with its copy:

• %System%\csrss.exe
• %System%\rundll32.exe
• %System%\svchost.exe

It does not have rootkit capabilities.

It does not exploit any vulnerability.