GERAL
Microsoft: Dogrobot, Dogkild; Ikarus: Geral; VBA32: Geral
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
GERAL (also known as The Robot Dog) is used to terminate security-related applications in order to download and execute other malicious files. As a result, system security is compromised.
TECHNICAL DETAILS
Installation
This Trojan drops the following files:
- %System%\drivers\TvPlus.sys
- %System%\drivers\pcidump.sys
- %System%\jxgamepacik.pak
- %User Temp%\{random}.exe
- %Windows%\extext{random}t.exe
- %Windows%\{random}test.dll
- %Windows%\{random}text.exe
(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)
It drops the following copies of itself into the affected system:
- %System%\scvhost.exe
- %System%\kav.exe
(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)
It creates the following folders:
- %Program Files%\KAV
(Note: %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.)
Autostart Technique
This Trojan adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
RsTray = "%System%\scvhost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
kav = "%System%\kav.exe"
It adds the following Image File Execution Options registry entries to automatically execute itself whenever certain applications are run:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
{application}
{application} = "svchost.exe"
Other System Modifications
This Trojan adds the following registry keys as part of its installation routine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
{application}
Other Details
This Trojan connects to the following possibly malicious URL:
- http://{BLOCKED}re.cn/xx8/Count.asp?mac={mac address}&ver={version}&os={OS}
- http://{BLOCKED}4.cc/2/Count.asp?mac={mac address}&ver={version}&os={OS}
- http://{BLOCKED}4.cc/7/Count.asp?mac={mac address}&ver={version}&os={OS}
- http://{BLOCKED}2.{BLOCKED}j.com:18888/57/tj.asp?mac={mac address}&ver={version}&os={OS}&dtime={date}
- http://{BLOCKED}o.{BLOCKED}2.org:300/up23/Count.asp?mac={mac address}&ver={version}&os={OS}&dtime={date}
- http://www.{BLOCKED}2432.cn/0001/Count.asp?mac={mac address}&ver={version}&os={OS}
- http://www.{BLOCKED}2432.cn/0004/Count.asp?mac={mac address}&ver={version}&os={OS}
- http://{BLOCKED}3.cn/xx8/ttnew.txt
- http://{BLOCKED}2.cn/0001/ttnew.txt
- http://{BLOCKED}2.cn/0004/ttnew.txt
- http://{BLOCKED}z.{BLOCKED}ns.com:18184/c/d.txt
- http://{BLOCKED}z.{BLOCKED}ns.com:18184/c/host.txt
- http://{BLOCKED}t.{BLOCKED}8.xicp.cn:300/aas.txt
- http://{BLOCKED}8.com/xin/host.jpg
- http://{BLOCKED}8.com/xin/xx2.txt
- http://{BLOCKED}8.com/xin/xx7.txt
NOTES:
In the added Image File Execution Option registry entry, {application name} may be any of the following:
- 360Safebox.exe
- 360SoftMgrSvc.exe
- 360delays.exe
- 360realpro.exe
- 360rp.exe
- 360safe.exe
- 360sd.exe
- 360tray.exe
- AgentSvr.exe
- CCenter.exe
- DSMain.exe
- DrUpdate.exe
- DrvAnti.exe
- FrameworkService.exe
- KABackReport.exe
- KISSvc.exe
- KPFW32.exe
- KPfwSvc.exe
- KSWebShield.exe
- KVSrvXP.exe
- KWatch.exe
- KavStart.exe
- LiveUpdate360.exe
- MPMon.exe
- MPSVC.exe
- MPSVC1.exe
- MPSVC2.exe
- McProxy.exe
- McTray.exe
- MpfSrv.exe
- QQDoctor.exe
- QQDoctorRtp.exe
- QQDrNetMon.exe
- Rav.exe
- RavMon.exe
- RavMonD.exe
- RavStub.exe
- RavTask.exe
- RegGuide.exe
- RsAgent.exe
- RsTray.exe
- SHSTAT.exe
- ScanFrm.exe
- Uplive.exe
- XsClient.exe
- alg.exe
- antiarp.exe
- avp.exe
- bdagent.exe
- ccEvtMgr.exe
- ccSetMgr.exe
- ccSvcHst.exe
- ccapp.exe
- defwatch.exe
- egui.exe
- ekrn.exe
- engineserver.exe
- kaccore.exe
- kmailmon.exe
- livesrv.exe
- mcagent.exe
- mcinsupd.exe
- mcmscsvc.exe
- mcnasvc.exe
- mcshell.exe
- mcshield.exe
- mcsysmon.exe
- mcupdmgr.exe
- mfeann.exe
- mfevtps.exe
- naPrdMgr.exe
- nbmanti.exe
- qutmserv.exe
- rfwsrv.exe
- rsnetsvr.exe
- rssafety.exe
- rtvscan.exe
- safeboxTray.exe
- uDongFangYu.exe
- udaterui.exe
- vptray.exe
- vsserv.exe
- vstskmgr.exe
- xcommsvr.exe
- xcommsvr.exe