Analysis by: Cris Nowell Pantanilla

 PLATFORM:

Windows 98, ME, NT, 2000, XP, Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

However, as of this writing, the said sites are inaccessible.

It accesses websites to download files. This action allows this malware to possibly add other malware on the affected computer. It executes downloaded files whose malicious routines are exhibited by the affected system.

  TECHNICAL DETAILS

File Size: Varies
File Type: EXE
Memory Resident: Yes

Arrival Details

However, as of this writing, the said sites are inaccessible.

Installation

This Trojan drops the following copies of itself into the affected system:

  • %Program Files%\Common Files\Microsoft Shared\DW\NetworkDW20.exe
  • %Program Files%\Common Files\Microsoft Shared\Database Replication\Resources\1033\resdllwzcnfrc.exe
  • %Program Files%\Common Files\Microsoft Shared\MSDesigners7\Resources\1033\StudioVisual.exe
  • %Program Files%\Common Files\Microsoft Shared\MSENV\EnvironmentMicrosoft7.00.9064.9112.exe
  • %Program Files%\Common Files\Microsoft Shared\TRANSLAT\ESEN\TranslationDictionaries.exe
  • %Program Files%\Common Files\SpeechEngines\Microsoft\SR61\1033\EngineITNGRAM.exe
  • %Program Files%\Common Files\System\MSMAPI\1033\OfficeMicrosoft1.0.2536.0.exe
  • %Program Files%\Common Files\System\msadc\msadcoData.exe
  • %Program Files%\MSN\MSNCoreFiles\POPCMicrosoftR.exe
  • %Program Files%\Microsoft Office\MEDIA\OFFICE11\AUTOSHAP\versionMicrosoft.exe
  • %Program Files%\Microsoft Office\OFFICE11\Migration\MIGRATEOffice11.0.5510.exe
  • %Program Files%\Microsoft Office\OFFICE11\Migration\OfficeOffice11.0.5510.exe

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
MicrosoftEnvironment = %Program Files%\common files\microsoft shared\msenv\environmentmicrosoft7.00.9064.9112.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
MicrosoftOffice = %Program Files%\microsoft office\office11\migration\migrateoffice11.0.5510.ex

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
MicrosoftOrganizer = %Program Files%\microsoft office\media\office11\autoshap\versionmicrosoft.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
SPSRXUIMicrosoft = Program Files%\common files\speechengines\microsoft\sr61\1033\engineitngram.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
TranslationMicrosoft1021091 = %Program Files%\common files\microsoft shared\translat\esen\translationdictionaries.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{malware name} = {malware path and name}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
msdfmapMicrosoft = %Program Files%\common files\system\msadc\msadcodata.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunServices
MicrosoftRMicrosoftR = %Program Files%\msn\msncorefiles\popcmicrosoftr.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunServices
MicrosoftVisual = %Program Files%\common files\microsoft shared\msdesigners7\resources\1033\studiovisual.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunServices
OfficeMIGRATE = %Program Files%\microsoft office\office11\migration\officeoffice11.0.5510.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunServices
ReportingWatson = %Program Files%\common files\microsoft shared\dw\networkdw20.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunServices
bjablr32emsmdb32 = %Program Files%\common files\system\msmapi\1033\officemicrosoft1.0.2536.0.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunServices
{malware name} = {malware path and name}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunServices
wzcnfrcwzcnfrc = %Program Files%\common files\microsoft shared\database replication\resources\1033\resdllwzcnfrc.exe

Other System Modifications

This Trojan adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
MediaPlayer\Setup\Files
1 = {Random Hex Values}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
MediaPlayer\Setup\Files
2 = {Random Hex Values}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
MediaPlayer\Setup\Files
3 = {Random Hex Values}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
MediaPlayer\Setup\Files
4 = {Random Hex Values}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
MediaPlayer\Setup\Files
5 = {Random Hex Values}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
MediaPlayer\Setup\Files
6 = {Random Hex Values}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
MediaPlayer\Setup\Files
7 = {Random Hex Values}

Download Routine

This Trojan accesses websites to download the following files:

  • http://{BLOCKED}place.biz/getfile.php
  • http://{BLOCKED}place.biz/httpss/ldr123.php

It executes downloaded files :

    whose malicious routines are exhibited by the affected system.