TROJ_UPATRE.YYSG

This Trojan arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

It does not have any propagation routine.

It does not have any backdoor routine.

It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

It deletes the initially executed copy of itself.

Arrival Details

This Trojan arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

Installation

This Trojan drops the following copies of itself into the affected system and executes them:

• %User Temp%\document.exe

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops the following files:

• %User Temp%\adob8864.txt ← contains the initially executed malware path, which is overwritten once it downloads

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

File Infection

This Trojan adds the following registry entries that act as infection markers:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion
marker_gjru_fbegrihlgm = "TRUE"

Propagation

This Trojan does not have any propagation routine.

Backdoor Routine

This Trojan does not have any backdoor routine.

Download Routine

This Trojan accesses the following websites to download files:

• www.{BLOCKED}utions.com/files/manualac.pdf
• {BLOCKED}oteknologi.co.id/fonts/manualac.pdf

It saves the files it downloads using the following names:

• %User Temp%\adob8864.txt

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

Other Details

This Trojan deletes the initially executed copy of itself

NOTES:

This Trojan decompresses the binary code from %User Temp%\adob8864.txt. The decompressed binary code results to the executable file %User Temp%\{6letters}{1digit}.exe, which is detected as TSPY_DYRE.SMAB. The executable is then executed by this malware.

It connects to the following URLs to report infection of the affected system:

• {BLOCKED}.{BLOCKED}.242.226:{port}/2901us21/{Computer Name of the affected system}/{OS Version}/0/
• {BLOCKED}.{BLOCKED}.242.226:{port}/2901us21/{Computer Name of the affected system}/1/0/0

It reports the following information:

• Computer Name
• Operating system version
• Service Pack