TROJ_DLOADER.BCT


 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW


A Trojan horse program is a malware that is not capable of automatically spreading to other systems. Trojans are usually downloaded from the Internet and installed by unsuspecting users.

Trojans typically carry payloads or other malicious actions that can range from the mildly annoying to the irreparably destructive. They may also modify system settings to automatically start. Restoring affected systems may require procedures other than scanning with an antivirus program

  TECHNICAL DETAILS

File Size:

199,168 bytes

Memory Resident:

No

Installation

This Trojan drops the following file(s)/component(s):

  • %System%\BLPHC7TPJ0E72C.SCR
  • %System%\lphc7tpj0e72c.exe
  • %System%\PHC7TPJ0E72C.BMP
  • %User Temp%\.TT3A.TMP.VBS

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

  • {A56DECD8-1102-49e9-BFD5-17FBE35197F2}
  • CLqhc5tpj0e72c
  • COMINIT_INITIALING

It stays resident in memory by creating the following process(es):

  • %System%\WScript.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Autostart Technique

This Trojan creates the following registry entries to enable automatic execution of dropped component at every system startup:

HKEY_CURRENT_USER\Control Panel\Desktop
ConvertedWallpaper = "%System%\phc7tpj0e72c.bmp"

HKEY_CURRENT_USER\Control Panel\Desktop
OriginalWallpaper = "%System%\phc7tpj0e72c.bmp"

HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\
Windows\CURRENTVERSION\Policies\
SYSTEM
NoDispBackgroundPage = "1"

HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\
Windows\CURRENTVERSION\Policies\
SYSTEM
NoDispScrSavPage = "1"

HKEY_CURRENT_USER\SOFTWARE\Sysinternals\
Bluescreen Screen Saver
EulaAccepted = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\
Software Notifier
InstallID = "{malware name}"

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
lphc7tpj0e72c = "%System%\lphc7tpj0e72c.exe"

Other System Modifications

This Trojan modifies the following registry key(s)/entry(ies) as part of its installation routine:

HKEY_CURRENT_USER\Control Panel\Colors
Background = "0 0 255"

(Note: The default value data of the said registry entry is 58 110 165.)

HKEY_CURRENT_USER\Control Panel\Desktop
SCRNSAVE.EXE = "%System%\blphc7tpj0e72c.scr"

(Note: The default value data of the said registry entry is (NONE).)

HKEY_CURRENT_USER\Control Panel\Desktop
Wallpaper = "%System%\phc7tpj0e72c.bmp"

(Note: The default value data of the said registry entry is blank.)

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\
Windows\CURRENTVERSION\Internet Settings\
Cache\Paths
Directory = "%Temporary Internet Files%\Content.IE5"

(Note: The default value data of the said registry entry is C:\Documents and Settings\{user name}\Local Settings\Temporary Internet Files\Content.IE5.)

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\
Windows\CURRENTVERSION\Internet Settings\
Cache\Paths\Path1
CachePath = "%Temporary Internet Files%\Content.IE5\Cache1"

(Note: The default value data of the said registry entry is C:\Documents and Settings\{user name}\Local Settings\Temporary Internet Files\Content.IE5\Cache1.)

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\
Windows\CURRENTVERSION\Internet Settings\
Cache\Paths\Path2
CachePath = "%Temporary Internet Files%\Content.IE5\Cache2"

(Note: The default value data of the said registry entry is C:\Documents and Settings\{user name}\Local Settings\Temporary Internet Files\Content.IE5\Cache2.)

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\
Windows\CURRENTVERSION\Internet Settings\
Cache\Paths\Path3
CachePath = "%Temporary Internet Files%\Content.IE5\Cache3"

(Note: The default value data of the said registry entry is :\Documents and Settings\{user name}\Local Settings\Temporary Internet Files\Content.IE5\Cache3.)

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\
Windows\CURRENTVERSION\Internet Settings\
Cache\Paths\Path4
CachePath = "%Temporary Internet Files%\Content.IE5\Cache4"

(Note: The default value data of the said registry entry is C:\Documents and Settings\{user name}\Local Settings\Temporary Internet Files\Content.IE5\Cache4.)

Other Details

This Trojan connects to the following possibly malicious URL:

  • http://{BLOCKED}.1.8eef40d2c272bc094416c082b3658c85.chr.santa-inbox.com/index.php?hostid=d1736306-2ead-49cc-94df-eac53fd0b625&tm=1225613575
  • http://{BLOCKED}.1.8eef40d2c272bc094416c082b3658c85.chr.santa-inbox.com/index.php?hostid=d1736306-2ead-49cc-94df-eac53fd0b625&tm=1225613583
  • http://{BLOCKED}.1.8eef40d2c272bc094416c082b3658c85.chr.santa-inbox.com/index.php?hostid=d1736306-2ead-49cc-94df-eac53fd0b625&tm=1225613592
  • http://{BLOCKED}008.net/images/1225613575/8eef40d2c272bc094416c082b3658c85/d1736306-2ead-49cc-94df-eac53fd0b625.gif
  • http://{BLOCKED}008.net/images/1225613582/8eef40d2c272bc094416c082b3658c85/d1736306-2ead-49cc-94df-eac53fd0b625.gif
  • http://{BLOCKED}008.net/images/1225613592/8eef40d2c272bc094416c082b3658c85/d1736306-2ead-49cc-94df-eac53fd0b625.gif

It displays the following message boxes:

Title: Windows Script Host
Content: Script:\t%User Profile%\Local Settings
Temp\.tt3A.tmp.vbs\nLine:\t3\nChar:\t1\nError:\tNot found\n
\nCode:\t80041002\nSource: \tSWbemServices\n


(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

NOTES:

This Trojan resolves the hostname by attempting to obtain the machine's IP address. It waits for active Internet connection to connect to the following URL, possibly to download a malicious file:

  • {BLOCKED}6.1.8eef40d2c272bc094416c082b3658c85.chr.santa-inbox.com
  • {BLOCKED5.1.8eef40d2c272bc094416c082b3658c85.chr.santa-inbox.com
  • {BLOCKED}6.1.8eef40d2c272bc094416c082b3658c85.chr.santa-inbox.com
  • {BLOCKED}008.net
  • {BLOCKED}supdate.microsoft.co

It uses the following sets of strings, which may be related to HOSTS file modification, downloading, sending of information, and other possibly malicious routines:

  • {BLOCKED}%ls.chr.santa-inbox.com
  • {BLOCKED}ebmasterinfo.com
  • {BLOCKED}s.cexx.org
  • {BLOCKED}yourself.com
  • http://{BLOCKED}0656.1.8eef40d2c272bc094416c082b3658c85.chr.santa-inbox.com/index.php?hostid=d1736306-2ead-49cc-94df-eac53fd0b625&tm=1225613575
  • http://{BLOCKED}8125.1.8eef40d2c272bc094416c082b3658c85.chr.santa-inbox.com/index.php?hostid=d1736306-2ead-49cc-94df-eac53fd0b625&tm=1225613583
  • http://{BLOCKED}7406.1.8eef40d2c272bc094416c082b3658c85.chr.santa-inbox.com/index.php?hostid=d1736306-2ead-49cc-94df-eac53fd0b625&tm=1225613592
  • http://{BLOCKED}esents.avxp2008.com/ping13.php?id=%d&mid=%hs
  • http://{BLOCKED}ndowsupdate.microsoft.com
  • http://{BLOCKED}upornztube.org
  • statsbank.com
  • webmasterworld.com

It deletes itself after execution.

The executable %Current%\1bf0da89-5bfc-416a-891b-f65aa12c5f40.exe removes itself once executed.