TROJ_DROPR.JX
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It executes the dropped file(s). As a result, malicious routines of the dropped files are exhibited on the affected system.
TECHNICAL DETAILS
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan creates the following folders:
- %System Root%\ProgramData
- %System Root%\ProgramData\Microsoft
- %System Root%\ProgramData\Microsoft\Windows
- %System Root%\ProgramData\Microsoft\Windows\Common
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)
Autostart Technique
This Trojan registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\DHCPSrv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\NetLog0n
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\RegSysapp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SessionService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SystemSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\UDPMon
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\UPNPUpdate
Other System Modifications
This Trojan modifies the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Internet Settings\
Cache\Paths
Directory = "%System Root%\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5"
(Note: The default value data of the said registry entry is %Temporary Internet Files%\Content.IE5.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Internet Settings\
Cache\Paths\path1
CachePath = "%System Root%\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
(Note: The default value data of the said registry entry is %Temporary Internet Files%\Content.IE5\Cache1.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Internet Settings\
Cache\Paths\path2
CachePath = "%System Root%\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
(Note: The default value data of the said registry entry is %Temporary Internet Files%\Content.IE5\Cache2.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Internet Settings\
Cache\Paths\path3
CachePath = "%System Root%\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
(Note: The default value data of the said registry entry is %Temporary Internet Files%\Content.IE5\Cache3.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Internet Settings\
Cache\Paths\path4
CachePath = "%System Root%\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
(Note: The default value data of the said registry entry is %Temporary Internet Files%\Content.IE5\Cache4.)
Dropping Routine
This Trojan drops the following files:
- %System Root%\ProgramData\Microsoft\Windows\NetCC{number}.dll
- %System Root%\ProgramData\Microsoft\Windows\QQlive.exe
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)
It executes the dropped file(s). As a result, malicious routines of the dropped files are exhibited on the affected system.
Other Details
This Trojan connects to the following possibly malicious URL:
- http://{BLOCKED}kynx.tuita.com/
- http://hi.{BLOCKED}u.com/belheiwqiu/rss
- http://hi.{BLOCKED}u.com/bwhrpbe/rss
- http://hi.{BLOCKED}u.com/gpocoi55/rss
- http://hi.{BLOCKED}u.com/gqpgemc/rss
- http://hi.{BLOCKED}u.com/gqpgemcuwd/rss
- http://hi.{BLOCKED}u.com/heiwqiu/rss
- http://hi.{BLOCKED}u.com/ihnv2386/rss
- http://hi.{BLOCKED}u.com/iwaxsxg/rss
- http://hi.{BLOCKED}u.com/ocoijxnwkg/rss
- http://hi.{BLOCKED}u.com/wdxiw894/rss
- http://hi.{BLOCKED}u.com/wkgbbw73/rss
- http://hiphotos.{BLOCKED}u.com/upupupqw/pic/item/1f0ac9effbedab6430adfd66f736afc378311e56.jpg
- http://hiphotos.{BLOCKED}u.com/upupupqw/pic/item/295d531db3de9c82242fba386c81800a18d843dd.jpg
- http://hiphotos.{BLOCKED}u.com/upupupqw/pic/item/398e240aa8d3fd1fc6f6679b304e251f94ca5faa.jpg
- http://hiphotos.{BLOCKED}u.com/upupupqw/pic/item/398e240aa8d3fd1fc6f6679b304e251f94ca5faa.jpg
- http://hiphotos.{BLOCKED}u.com/upupupqw/pic/item/398e240aa8d3fd1fc6f6679b304e251f94ca5faa.jpg
- http://hiphotos.{BLOCKED}u.com/upupupqw/pic/item/6651d45a9258d109db8e9d0ed158ccbf6c814d32.jpg
- http://hiphotos.{BLOCKED}u.com/upupupqw/pic/item/7614f09f4710b91247873e45c3fdfc03934522e5.jpg
- http://hiphotos.{BLOCKED}u.com/upupupqw/pic/item/7614f09f4710b91247873e45c3fdfc03934522e5.jpg
- http://hiphotos.{BLOCKED}u.com/upupupqw/pic/item/8204a32bb80e7bec062cc75c2f2eb9389a506bb7.jpg
- http://hiphotos.{BLOCKED}u.com/upupupqw/pic/item/82de34e95266d0168e92b18f972bd40734fa35a3.jpg
- http://hiphotos.{BLOCKED}u.com/upupupqw/pic/item/c8882b633912b31bf89d7d8f8618367adbb4e1b9.jpg
- http://hiphotos.{BLOCKED}u.com/upupupqw/pic/item/ec2993cba9ec8a1313d61c46f703918fa1ecc066.jpg
- http://hiphotos.{BLOCKED}u.com/upupupqw/pic/item/f2518b37dd54564ed3cdf798b3de9c82d0584f84.jpg
- http://{BLOCKED}ahpqh.tuita.com/
- http://{BLOCKED}rruym.tuita.com/
- http://{BLOCKED}bdzzr.tuita.com/
- http://t.{BLOCKED}e.com.cn/fxqpzokynx
- http://t.{BLOCKED}e.com.cn/ifakcyahpqh
- http://www.{BLOCKED}o.com/microblog/profile/url.htm?domain=fxqpzokynx
- http://www.{BLOCKED}o.com/microblog/profile/url.htm?domain=ifakcyahpqh
- http://www.{BLOCKED}o.com/microblog/profile/url.htm?domain=jkmxyarruym
- http://www.{BLOCKED}o.com/microblog/profile/url.htm?domain=ybvjw135
- http://www.{BLOCKED}o.com/microblog/pub/index.htm
- http://{BLOCKED}35.tuita.com/