TROJ_INJECTOR.WOW
Windows
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It deletes itself after execution.
TECHNICAL DETAILS
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Autostart Technique
This Trojan adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Run
{random} = "%System%\{random}.exe"
Other System Modifications
This Trojan adds the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Winlogon
SysDebug32 = "{random values}"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%System%\svchost.exe = "%System%\svchost.exe:*:Enabled:{random}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
{random} = "ffffffff"
It deletes the following registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows NT\CurrentVersion\SystemRestore
Dropping Routine
This Trojan drops the following files:
- %System%\{random}.exe
- %User Startup%\System Check.lnk
(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup.)
Other Details
This Trojan connects to the following possibly malicious URL:
- http://{BLOCKED}n.net
It deletes itself after execution.