ANDROMEDA
Gamarue, Wauchos
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This malware family refers to variants consisting of backdoors that are tied to the ANDROMEDA botnet. The botnet was first spotted in late 2011. It is a modular bot, the functions can be easily modified through plugins.
One common behavior of this malware is its capability of checking whether it is being executed or debugged in a virtual environment by using anti-virtual machine techniques. It can perform different commands such as downloading and executing files, performing remote shell, and uninstalling itself from the system.
TECHNICAL DETAILS
Installation
This Trojan drops the following copies of itself into the affected system:
- %All Users Profile%\Local Settings\Temp\{random}.{random extension}
- %All Users Profile%\svchost.exe
- %All Users Profile%\{random}.exe
- %Program Data%\svchost.exe
- %User Temp%\{random}.exe
(Note: %All Users Profile% is the All Users or Common profile folder, which is C:\Documents and Settings\All Users in Windows 2000, XP, and Server 2003, and C:\ProgramData in Windows Vista and 7.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)
Other System Modifications
This Trojan also creates the following registry entry(ies) as part of its installation routine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
SunJavaUpdateSched = "%All Users Profile%\svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run
540 = "%All Users Profile%\Local Settings\Temp\{random}.{random extension}"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path and file name} = "{malware path and file name}:*:Enabled:Marko"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run
540 = "%All Users Profile%\{random}.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path and file name} = "{malware path and file name}:*:Enabled:{malware file name}"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%System%\msiexec.exe = "%System%\msiexec.exe:*:Generic Host Process"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%System%\svchost.exe = "%System%\svchost.exe:*:Generic Host Process"
Other Details
This Trojan connects to the following possibly malicious URL:
- http://{BLOCKED}rph.su/in.php
- http://{BLOCKED}gonzmwuehky.nl/in.php
- http://{BLOCKED}jtvmein.in/in.php
- http://{BLOCKED}ryConvention.ru/new/gate.php
- http://{BLOCKED}amcam.ru/new/gate.php
- http://{BLOCKED}Pod.ru/new/gate.php
- http://{BLOCKED}it.ru/new/gate.php
- http://{BLOCKED}Images.com/new/gate.php
- http://{BLOCKED}rososoft.ru/in.php
- http://{BLOCKED}h.ru/new/gate.php
- http://{BLOCKED}bcgrvkj.ru/in.php
- http://{BLOCKED}ewsqhct.in/in.php