arrow_back
search
close

TROJ_NEBULER

July 22, 2013
 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet


This malware family can be downloaded via visiting malicious websites. Its main function is to download other malware onto infected systems thus compromising its security.

  TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Downloads files

Installation

This Trojan drops the following files:

  • %System%\msi{random three letters}32.dll

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
MSIDLL = "rundll32.exe %System%\msi{random three letters}32.dll,{random}"

Other System Modifications

This Trojan adds the following registry keys as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
{random}

It creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path}\{malware name} = "{malware path}\{malware name}:*:Enabled:1"

Other Details

This Trojan connects to the following possibly malicious URL:

  • http://{BLOCKED}c.unas.cz/admin/index.php?q={random}
  • http://{BLOCKED}ob.nl/admin/index.php?q={random}
  • http://{BLOCKED}nsle1.la.funpic.de/admin/index.php?q={random}
  • http://{BLOCKED}e.com/upd.php?q={random}
  • http://{BLOCKED}d.com/upd.php?q={random}
  • http://www.{BLOCKED}a.wz.cz/admin/index.php?q={random}
  • http://www.{BLOCKED}astranka.wz.cz/admin/index.php?q={random}
  • http://www.{BLOCKED}iesan.wz.cz/admin/index.php?q={random}
  • http://www.{BLOCKED}e-nemecko.wz.cz/admin/index.php?q={random}
  • http://www.{BLOCKED}e-nemecko2006.wz.cz/admin/index.php?q={random}
  • http://www.{BLOCKED}007.unas.cz/admin/index.php?q={random}
  • http://www.{BLOCKED}epower.wz.cz/adv/index.php?q={random}
  • http://www.{BLOCKED}ug.xf.cz/admin/index.php?q={random}
  • http://www.{BLOCKED}y.mysteria.cz/admin/index.php?q={random}
  • http://www.{BLOCKED}nt1bnt.w8w.pl/admin/index.php?q={random}
  • http://www.{BLOCKED}erin.com/admin/index.php?q={random}