Trojan.Win32.DLAUNCHER.A

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following files:

• %All Users Profile%\SymantecSEndponit\Data\EdrEpmpCStorages.dat → Detected as Trojan.Win32.DBUNDLE.A
• %All Users Profile%\SymantecSEndponit\Data\PchEpmpCStorages.dat → Detected as Trojan.Win32.DBUNDLE.A
• %All Users Profile%\SymantecSEndponit\Data\csdkset.dat → Detected as Trojan.Win32.DBUNDLE.A
• %All Users Profile%\SymantecSEndponit\Data\prodcltdef.dat → Detected as Trojan.Win32.DBUNDLE.A
• %All Users Profile%\SymantecSEndponit\Bin\Symantec.exe
• %All Users Profile%\SymantecSEndponit\Bin\LDVPOCX.OCX
• %All Users Profile%\SymantecSEndponit\Bin\3.8.2259.42.manifest
• %All Users Profile%\SymantecSEndponit\Bin\vivaldi_elf.dll
• %All Users Profile%\SymantecSEndponit\Bin\vivaldi.exe
• %All Users Profile%\Vivaldi\Application\3.8.2259.42.manifest
• %All Users Profile%\Vivaldi\Application\vivaldi_elf.dll
• %AppDataLocal%\Cyber\CUZ.exe
• %All Users Profile%\Vivaldi\Application\vivaldi.exe
• %AppDataLocal%\Cyber\ZIPDLL.dll
• %AppDataLocal%\MicrosoftExplorer\msexpert.exe
• %Application Data%\Microsoft\Crypto\RSA\{SID}\{Random Characters}_{Machine GUID}
• %AppDataLocal%\MicrosoftExplorer\ZIPDLL.DLL → deleted afterward
• %Public%\winmine.bin → deleted afterward

(Note: %All Users Profile% is the common user's profile folder, which is usually C:\Documents and Settings\All Users on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit). . %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Public% is the folder that serves as a repository of files or folders common to all users, which is usually C:\Users\Public in Windows Vista, 7, and 8.)

It adds the following processes:

• %System Root%\kaspersky\Usb Drive\3.0\Symantec.cmd
• %All Users Profile%\SymantecSEndponit\Bin\Symantec.exe
• cmd /c "%All Users Profile%\Vivaldi\Application\vivaldi.exe" {0-100}
• "%AppDataLocal%/MicrosoftExplorer/msexpert.exe" {0-100} {Key for decrpyting shellcode}
• "%AppDataLocal%\Cyber\CUZ.exe" "%AppDataLocal%/MicrosoftExplorer/msexpert.exe"

(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.. %All Users Profile% is the common user's profile folder, which is usually C:\Documents and Settings\All Users on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit). . %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It creates the following folders:

• %All Users Profile%\SymantecSEndponit\Bin
• %All Users Profile%\SymantecSEndponit\Data

(Note: %All Users Profile% is the common user's profile folder, which is usually C:\Documents and Settings\All Users on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit). )

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• FHSHIFEUI23436iuEIUIfdEuihif

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
SNMELSEILYWGUSJGS = "%All Users Profile%\SymantecSEndponit\Bin\Symantec.exe"

Other System Modifications

This Trojan deletes the following folders:

• %All Users Profile%\Symantecs\SymantecXgp

(Note: %All Users Profile% is the common user's profile folder, which is usually C:\Documents and Settings\All Users on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit). )

It modifies the following registry entries to hide files with Hidden attributes:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = 2

(Note: The default value data of the said registry entry is 1.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
HideFileExt = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = 0

(Note: The default value data of the said registry entry is 1.)

Backdoor Routine

This Trojan connects to the following URL(s) to send and receive commands from a remote malicious user:

• {BLOCKED}.{BLOCKED}.{BLOCKED}.116

Process Termination

This Trojan terminates the following processes if found running in the affected system's memory:

• Symantec.exe

Information Theft

This Trojan gathers the following data:

• Username
• Computer name
• System Architecture
• Operating system
• Available storage space of hard disk or flash drive

Stolen Information

This Trojan sends the gathered information via HTTP POST to the following URL:

• {BLOCKED}.{BLOCKED}.{BLOCKED}.116/index.php

Other Details

This Trojan does the following:

• It requires the following files to proceed to its intended routine:
  • %System Root%\kaspersky\Usb Drive\3.0\Symanted.cmd
  • %System Root%\kaspersky\Usb Drive\3.0\Data\EdrEpmpCStorages.dat
  • %System Root%\kaspersky\Usb Drive\3.0\Data\PchEpmpCStorages.dat
  • %System Root%\kaspersky\Usb Drive\3.0\Data\csdkset.dat
  • %System Root%\kaspersky\Usb Drive\3.0\Data\prodcltdef.dat
  • %System Root%\kaspersky\Usb Drive\3.0\LDVPOCX.OCX
• If it detects that USB drives are connected to the system, it performs the following actions:
  • Existing files from the USB drive are moved to the following folder
  • {Drive root}\kaspersky\Usb Drive
• It drops files with hidden attributes:
  • {Drive root}\kaspersky\Usb Drive\3.0\EdrEpmpCStorages.dat
  • {Drive root}\kaspersky\Usb Drive\3.0\PchEpmpCStorages.dat
  • {Drive root}\kaspersky\Usb Drive\3.0\csdkset.dat
  • {Drive root}\kaspersky\Usb Drive\3.0\prodcltdef.dat
  • {Drive root}\{USB drive name}.exe → Copy if itself
• It creates the following folders:
  • {Drive root}\kaspersky\Usb Drive\3.0

(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)