arrow_back
search
close

TROJ_CTBLOCK.HT

September 25, 2017
 Modified by: Rika Joi Gregorio
 ALIASES:

Backdoor.Trojan(Norton), Trojan.Inject(Ikarus), Win32/Filecoder.DA trojan(Eset)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW


This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size:

952,832 bytes

Memory Resident:

Yes

Initial Samples Received Date:

19 Jan 2015

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system and executes them:

  • %User Temp%\{random file name}.exe

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops the following files:

  • %User Profile%\My Documents\Decrypt All Files {random 7 letters}.bmp
  • %User Profile%\My Documents\Decrypt All Files {random 7 letters}.txt
  • %Windows%\Tasks\{random file name 3}.job - run every system startup
  • %All Users Profile%\Application Data\{random file name 2}.html

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.. %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.. %All Users Profile% is the All Users folder, where it usually is C:\Documents and Settings\All Users on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\ProgramData on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It creates the following folders:

  • %All Users Profile%\Application Data\Microsoft Help\{random folder name}

(Note: %All Users Profile% is the All Users folder, where it usually is C:\Documents and Settings\All Users on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\ProgramData on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Other System Modifications

This Trojan changes the desktop wallpaper by modifying the following registry entries:

HKEY_CURRENT_USER\Control Panel\Desktop
TileWallpaper = "0"

(Note: The default value data of the said registry entry is {user defined}.)

HKEY_CURRENT_USER\Control Panel\Desktop
Wallpaper = "%User Profile%\My Documents\Decrypt All Files {random 7 letters}.bmp"

(Note: The default value data of the said registry entry is {user defined}.)

NOTES:

This Trojan is capable of encrypting files. It changes the affected system's desktop wallpaper.