TROJ_DAGOZILL.C

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system:

• %Application Data%/{random 15 characters}.exe
• %Program Files%/{random 15 characters}.exe

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.)

Autostart Technique

This Trojan drops the following file(s) in the Windows Startup folder to enable its automatic execution at every system startup:

• %Start Menu%\Programs\Startup\{random 15 characters}.lnk

(Note: %Start Menu% is the Start Menu folder, where it usually is C:\Documents and Settings\{user name}\Start Menu on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Download Routine

This Trojan connects to the following website(s) to download and execute a malicious file:

• http://{BLOCKED}get.com/api.php?g={filename without extension of dropped copy}&k={random 25 characters (verification key)}
• http://{BLOCKED}demo.com/search.php?g={filename without extension of dropped copy}&k={random 25 characters (verification key)}
• http://{BLOCKED}ent.com/img.php?g={filename without extension of dropped copy}&k={random 25 characters (verification key)}

It saves the files it downloads using the following names:

• %User Temp%\{random 25 characters}.exe

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Trend Micro detects the dowloaded file as:

• Ransom_LOCKY.DLDSAOV

Other Details

This Trojan does the following:

• It deletes shadow copies by executing the following command:
  runas cmd.exe /c start {malware file path and file name} && vssadmin Delete Shadows /All /Quiet && exit

NOTES:

If this Trojan is unable to download the file to be executed from the websites, it attempts to connect to the URL https://twitter.com/hashtag/{BLOCKED}?f=tweets&vertical=default&src=tren to obtain a backup URL. If it obtains a backup URL, it saves the obtained URL in the Extended Attributes of %Desktop%\desktop.ini.