PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet

Angler Exploit Kit outbreak in US

This Trojan modifies registry entries to disable the Windows Firewall settings. This action allows this malware to perform its routines without being deteted by the Windows Firewall.

It connects to certain websites to send and receive information. However, as of this writing, the said sites are inaccessible. It gathers information and reports it to its servers.

  TECHNICAL DETAILS

File Size: 333,312 bytes
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 14 Mar 2016
Payload: Connects to URLs/IPs, Terminates processes

Arrival Details

This malware arrives via the following means:

  • distributed by Angler Exploit Kit

Installation

This Trojan drops the following copies of itself into the affected system and executes them:

  • %Application Data%\Mozilla\svchoste.exe

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It injects itself into the following processes as part of its memory residency routine:

  • svchost.exe
  • explorer.exe

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Generic Host Process = "%Application Data%\Mozilla\svchoste.exe"

Other System Modifications

This Trojan adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusOverride = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallOverride = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UpdatesDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion
wowsys64datecheck = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Microsoft Antimalware\Exclusions\Extensions
{extensions} = "0"

where {extensions} are as follows:

  • *.exe
  • *.dll
  • *.tmp

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows Defender\Exclusions\Extensions
{extensions} = = "0"

where {extensions} are as follows:

  • *.exe
  • *.dll
  • *.tmp

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows Defender\Exclusions\Processes
{processes} = "0"

where {processes} are as follows:

  • svchost.exe
  • consent.exe
  • rundll32.exe
  • explorer.exe
  • spoolsv.exe
  • rgjdu.exe
  • afwqs.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Microsoft Antimalware\Exclusions\Processes
{processes} = "0"

where {processes} are as follows:

  • svchost.exe
  • consent.exe
  • rundll32.exe
  • explorer.exe
  • spoolsv.exe
  • rgjdu.exe
  • afwqs.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows NT\CurrentVersion
WinNtM = "1"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows NT\CurrentVersion
WinNtAv = "1"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows NT\CurrentVersion
WinNtAr = "1"

It modifies the following registry entries to disable the Windows Firewall settings:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
EnableFirewall = "0"

(Note: The default value data of the said registry entry is {user-defined}.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\publicprofile
EnableFirewall = "0"

(Note: The default value data of the said registry entry is {user-defined}.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
DoNotAllowExceptions = "0"

(Note: The default value data of the said registry entry is {user-defined}.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\publicprofile
DoNotAllowExceptions = "0"

(Note: The default value data of the said registry entry is {user-defined}.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
DisableNotifications = "1"

(Note: The default value data of the said registry entry is {user-defined}.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentCotrolSet\
Services\SharedAccess\Parameters\
FirewallPolicy\publicprofile
DisableNotifications = "1"

(Note: The default value data of the said registry entry is {user-defined}.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile
EnableFirewall = "0"

(Note: The default value data of the said registry entry is {user-defined}.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile
DoNotAllowExceptions = "0"

(Note: The default value data of the said registry entry is {user-defined}.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile
DisableNotifications = "1"

(Note: The default value data of the said registry entry is {user-defined}.)

Process Termination

This Trojan terminates the following services if found on the affected system:

  • WinDefend
  • MpsSvc

It terminates the following processes if found running in the affected system's memory:

  • mbam.exe

Other Details

This Trojan connects to the following website to send and receive information:

  • http://{BLOCKED}g.cc/extra/status.html
  • http://{BLOCKED}onized3.cc/lost.dat
  • http://{BLOCKED}t.cc/extra/status.html

It does the following:

  • It attempts to disable the following anti-malware related applications:
    • Windows Defender
    • Malwarebytes
    • Microsoft Security Center
    • AVG

However, as of this writing, the said sites are inaccessible.

It gathers the following information and reports it to its servers:

  • IP address
  • Windows OS
  • UID

  SOLUTION

Minimum Scan Engine: 9.800
FIRST VSAPI PATTERN FILE: 12.402.07
FIRST VSAPI PATTERN DATE: 14 Mar 2016
VSAPI OPR PATTERN File: 12.403.00
VSAPI OPR PATTERN Date: 15 Mar 2016

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 3

Restart in Safe Mode

[ Learn More ]

Step 4

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • Generic Host Process = "%Application Data%\Mozilla\svchoste.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    • AntiVirusDisableNotify = "1"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    • AntiVirusOverride = "1"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    • FirewallDisableNotify = "1"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    • FirewallOverride = "1"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    • UpdatesDisableNotify = "1"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
    • wowsys64datecheck = "1"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
    • kereruthjertr456 = "1"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Extensions
    • {extensions} = "0"

      where {extensions} are as follows:

      • *.exe
      • *.dll
      • *.tmp


  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions
    • {extensions} = "0"

      where {extensions} are as follows:

      • *.exe
      • *.dll
      • *.tmp


  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes
    • {processes} = "0"

      where {processes} are as follows:

      • svchost.exe
      • consent.exe
      • rundll32.exe
      • explorer.exe
      • spoolsv.exe
      • rgjdu.exe
      • afwqs.exe


  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes
    • {processes} = "0"

      where {processes} are as follows:

      • svchost.exe
      • consent.exe
      • rundll32.exe
      • explorer.exe
      • spoolsv.exe
      • rgjdu.exe
      • afwqs.exe


  • In HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion
    • WinNtM = "1"
  • In HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion
    • WinNtAv = "1"
  • In HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion
    • WinNtAr = "1"

Step 5

Restore this modified registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

 
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
    • From: EnableFirewall = "0"
      To: EnableFirewall = {user-defined}
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\publicprofile
    • From: EnableFirewall = "0"
      To: EnableFirewall = {user-defined}
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
    • From: DoNotAllowExceptions = "0"
      To: DoNotAllowExceptions = {user-defined}
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\publicprofile
    • From: DoNotAllowExceptions = "0"
      To: DoNotAllowExceptions = {user-defined}
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
    • From: DisableNotifications = "1"
      To: DisableNotifications = {user-defined}
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentCotrolSet\Services\SharedAccess\Parameters\FirewallPolicy\publicprofile
    • From: DisableNotifications = "1"
      To: DisableNotifications = {user-defined}
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
    • From: EnableFirewall = "0"
      To: EnableFirewall = {user-defined}
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
    • From: DoNotAllowExceptions = "0"
      To: DoNotAllowExceptions = {user-defined}
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
    • From: DisableNotifications = "1"
      To: DisableNotifications = {user-defined}

Step 6

Restart in normal mode and scan your computer with your Trend Micro product for files detected as TROJ_AVRECON.NVP. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.