Analysis by: Jaime Benigno Reyes

ALIASES:

Trojan-Dropper.Win32.Injector.icwk (Kaspersky)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size: 134,144 bytes
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 24 Apr 2013

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following file(s)/component(s):

  • %System Root%\autorun.inf
  • %User Temp%\AppLaunch\Service.exe
  • %User Temp%\AppLaunch\App.ine
  • %User Temp%\{random}.0.cs
  • %User Temp%\{random}.tmp
  • %User Temp%\{random}.dll
  • %User Temp%\{random}.err
  • %User Temp%\{random}.out

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It drops the following copies of itself into the affected system:

  • %System Root%\rundll32.exe

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

HOSTS File Modification

This Trojan modifies the system's HOSTS files to redirect users once the following Web site(s) are accessed:

  • bancaribe.com.ve
  • www.bancaribe.com.ve
  • bancodevenezuela.com
  • www.bancodevenezuela.com
  • provincial.com
  • www.provincial.com
  • bodinternet.com
  • www.bodinternet.com

It adds the following strings to the Windows HOSTS file:

  • 74.221.212.116 bancaribe.com.ve
  • 74.221.212.116 www.bancaribe.com.ve
  • 74.221.212.116 bancodevenezuela.com
  • 74.221.212.116 www.bancodevenezuela.com
  • 74.221.212.116 provincial.com
  • 74.221.212.116 www.provincial.com
  • 74.221.212.116 bodinternet.com
  • 74.221.212.116 www.bodinternet.com

NOTES:

It drops an AUTORUN.INF file in the system root folder to automatically execute the copy it drops there when a user accesses this drive.

The said .INF file contains the following strings:

[autorun]
shelexecute=rundll32.exe