TROJ_POPHOT.SM

This Trojan arrives as a component bundled with malware/grayware packages.

It connects to certain URLs. It may do this to remotely inform a malicious user of its installation. It may also do this to download possibly malicious files onto the computer, which puts the computer at a greater risk of infection by other threats.

It opens a hidden Internet Explorer window.

Arrival Details

This Trojan arrives as a component bundled with malware/grayware packages.

Installation

This Trojan injects itself into the following processes as part of its memory residency routine:

• winlogon.exe
• explorer.exe

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\SeAcros
Startup = WLEventStartup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\SeAcros
StartShell = WLEventStartShell

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\SeAcros
DLLName = {malware filename}

Other System Modifications

This Trojan adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\SeAcros

HKEY_CLASSES_ROOT\Briefcase.Server

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\knf

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\igfxex

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersionWinlogon\Notify\
ScomLaunch

Process Termination

This Trojan terminates processes or services that contain any of the following strings if found running in the affected system's memory:

• SkyNet Firewall
• Trend Micro Client/Server Security Agent Personal Firewall
• Rising Personal Firewall
• Kingsoft Personal Firewall
• Sygate Personal FireWall
• Trend Micro PC-cillin Internet Security FireWall
• Kaspersky Anti-Virus for File Servers
• NOD32 Anti-Virus
• McAfee VirusScan
• Symantec AntiVirus
• Rising Process Communication Center
• Avira AntiVir
• Trend Micro Anti-Virus
• jiangming Antivirus
• Kingsoft Antivirus
• Kaspersky Anti-Virus
• network associates
• AVG7

Download Routine

This Trojan connects to the following malicious URLs:

• http://www.{BLOCKED}p.com/images/yih_cover.jpg
• http://www.{BLOCKED}c.com.cn/Include/images/c_pic.jpg
• http://www.{BLOCKED}go.com.cn/Images/T-ZCARGO/wu.jpg
• http://www.{BLOCKED}go.com.cn/system/Images/T-ZCARGO/wu.jpg
• http://www.{BLOCKED}c.com.cn/Include/images/c_pic.jpg

Other Details

This Trojan opens a hidden Internet Explorer window.

It does the following:

• It stores information about itself in the registry key HKEY_CLASSES_ROOT\\Briefcase.Server
• ExistsName
• GiTypeName
• Restore
• Backup
• StartProcUpdateTime
• Begin
• ar
• LastModified
• This DLL file has the following backdoor capabilities:
• create/delete user account
• send email
• send and receive files
• retreive Windows log-in user name and password
• screenshot
• hook mouse
• hook keyboard
• Open webcam
• download updated copy of itself
• download other files
• start/terminate process
• execute arbitrary shell commands
• reboot the machine
• It terminates the following processes if found running in the affected system's memory:
  
  • tmlisten.exe
  • ntrtscan.exe
  • tmntsrv.exe
  • avgamsvr.exe
  • avguard.exe
  • ravmond.exe
  • ravtask.exe
  • kwatch.exe
  • rtvscan.exe
  • ccevtmgr.exe
  • sched.exe
  • frameworkService.exe
  • ekrn.exe
  • nod32kui.exe
  • nod.exe
  • klserver.exe
  • kavmm.exe
  • avp.exe
  • pfw.exe
  • ofcpfwsvc.exe
  • rfwsrv.exe
  • kpfwsvc.exe
  • smc.exe
  • tmpfw.exe
  • mcshield.exe