Analysis by: Rhena Inocencio

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It deletes the initially executed copy of itself.

  TECHNICAL DETAILS

File Size: 326,904 bytes
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 12 Jul 2012

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system and executes them:

  • {All User's Profile}\Application Data\{random file name 1}.EXE

It drops the following files:

  • {All User's Profile}\Application Data\{random file name 2}.EXE
  • {All User's Profile}\Application Data\{random file name 2}
  • %User Temp%\{random file name 3}.EXE
  • %User Profile%\START MENU\Programs\FILE RECOVERY\FILE RECOVERY.LNK
  • %User Profile%\START MENU\Programs\FILE RECOVERY\UNINSTALL FILE RECOVERY.LNK
  • %Desktop%\FILE_RECOVERY.LNK
  • %User Profile%\Application Data\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\FILE_RECOVERY.LNK
  • {All User's Profile}\Application Data\-{random file name 2}
  • {All User's Profile}\Application Data\-{random file name 2}R

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.. %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.. %Desktop% is the current user's desktop, which is usually C:\Windows\Profiles\{user name}\Desktop on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Desktop on Windows NT, and C:\Documents and Settings\{User Name}\Desktop on Windows 2000, XP, and Server 2003.)

It creates the following folders:

  • %User Profile%\START MENU\Programs\FILE RECOVERY

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{random file name 1}.exe = "{All User's Profile}\Application Data\{random file name 1}.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random file name 2} = "{All User's Profile}\Application Data\{random file name 2}.exe"

Other System Modifications

This Trojan adds the following registry entries:

HKEY_CURRENT_USER\Software
0df15996-87ec-4c84-a01b-a82c457edea3 = "{random values}"

HKEY_CURRENT_USER\Software
nsreg = "{hex values}"

HKEY_CURRENT_USER\Software
pth = "{hex values}"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Use FormSuggest = "Yes"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer
EnableAutoTray = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Taskband
_Favorites = "{hex values}"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Start_ShowControlPanel = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Start_ShowHelp = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Start_ShowMyComputer = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Start_ShowMyDocs = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Start_ShowMyGames = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Start_ShowMyMusic = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Start_ShowMyPics = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Start_ShowNetConn = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Start_ShowNetPlaces = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Start_ShowPrinters = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Start_ShowRecentDocs = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Start_ShowRun = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Start_ShowSearch = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Start_ShowSetProgramAccessAndDefaults = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Start_ShowUser = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
TaskbarGlomLevel = "2"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
TaskbarGlomming = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
CertificateRevocation = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
WarnonBadCertRecving = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
WarnOnZoneCrossing = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
ActiveDesktop
HidNoChangingWallPaperden = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Associations
LowRiskFileTypes = ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Attachments
SaveZoneInformation = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoDesktop = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableTaskMgr = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
DisableTaskMgr = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
HideDesktopIcons\ClassicStartMenu
{208D2C60-3AEA-1069-A2D7-08002B30309D} = "1"

It modifies the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\WinTrust\
Trust Providers\Software Publishing
State = "23e00"

(Note: The default value data of the said registry entry is 23c00.)

Other Details

This Trojan connects to the following possibly malicious URL:

  • http://{BLOCKED}truct.com/u.php?0Q9oBPXEN0uECUgzEJ95RQsajjnvq1aG3F/2q5oNqwOd0A==
  • http://{BLOCKED}ahote.com/?ylOdR9GQqXquMlTvsmXlkaz1x3Eb/A==
  • http://{BLOCKED}retin.com/u.php?0Q9oBPXEN0uECUgzEJ95RQsajjnvq1aG3F/2q5oNqwOd0A==
  • http://{BLOCKED}uinesc.com/u.php?0Q9oBPXEN0uECUgzEJ95RQsajjnvq1aG3F/2q5oNqwOd0A==
  • http://{BLOCKED}rin.com/?ylOdR9GQqXquMlTvsmXlkaz1x3Eb/A==
  • http://{BLOCKED}nov.com/u.php?0Q9oBPXEN0uECUgzEJ95RQsajjnvq1aG3F/2q5oNqwOd0A==
  • http://{BLOCKED}ingona.com/u.php?0Q9oBPXEN0uECUgzEJ95RQsajjnvq1aG3F/2q5oNqwOd0A==
  • http://{BLOCKED}oaclpso.com/?ylOdR9GQqXquMlTvsmXlkaz1x3Eb/A==
  • http://{BLOCKED}entarec.com/u.php?0Q9oBPXEN0uECUgzEJ95RQsajjnvq1aG3F/2q5oNqwOd0A==
  • http://{BLOCKED}truct.com/u.php?0Q9oBPXEN0uECUgzEJ95RQsajjnvq1aG3F/2q5oNqwOd0A==

It deletes the initially executed copy of itself