MONKIF
Monkif, Myxa
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Dropped by other malware, Downloaded from the Internet
MONKIF malware are components of a botnet called ExeDot. These components are used to access certain websites to download other malware onto already infected systems. Moreover, MONKIF malware also terminate processes related to antivirus and firewall programs to avoid early detection and subsequent removal on the systems.
This malware family of Trojans can be downloaded on malicious websites or dropped by other malware. It is also installed as a Browser Helper Object (BHO).
TECHNICAL DETAILS
Yes
Connects to URLs/IPs, Drops files, Downloads files, Terminates processes
Installation
This Trojan drops the following files:
- %User Temp%\msfat32
- %User Temp%\msmonitor
- %User Temp%\{random file name}.tmp
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)
Other System Modifications
This Trojan adds the following registry entries:
HKEY_CLASSES_ROOT\CLSID\{random CLSID}
ThreadingModel = "Apartment"
HKEY_CLASSES_ROOT\CLSID\{random CLSID}
(Default) = "%User Temp%\msfat32"
HKEY_CLASSES_ROOT\PROTOCOLS\Filter\
text/html
CLSID = "{random CLSID}"
HKEY_CLASSES_ROOT\PROTOCOLS\Filter\
text/html
(Default) = "Microsoft Improved HTML MIME Filter"
HKEY_CURRENT_USER\Software\CLSID\
{Random UUID}\InProcServer32
(Default) = "{Malware Path and File Name}"
HKEY_CURRENT_USER\Software\CLSID\
{Random UUID}\InProcServer32
ThreadingModel = "Apartment"
HKEY_CURRENT_USER\Software\Classes\
PROTOCOLS\Filter\text/html
{Default} = "Microsoft Improved HTML MIME Filter"
HKEY_CURRENT_USER\Software\Classes\
PROTOCOLS\Filter\text/html
CLSID = "{Random UUID}"
Other Details
This Trojan connects to the following possibly malicious URL:
- www.{BLOCKED}ies.com/photo/{random characters}.php?{random characters}={encrypted code for the running processes}
- http://www.{BLOCKED}iaz.com/photo/{random}.php?{random}
- http://www.{BLOCKED}litzk.com/photo/{random}.php?{random}
- http://{BLOCKED}ncy.com/cgi/{random characters}.php?{random characters}={encrypted code for the running processes}
- http://ww1.{BLOCKED}ncy.com/cgi/{random characters}.php?{random characters}={encrypted code for the running processes
- http://{BLOCKED}s.com/cgi/{random characters}.php?{random characters}={encrypted code for the running processes
- http://{BLOCKED}ing.com/?{random}={random}