Analysis by: Cris Nowell Pantanilla
 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size: 178,176 bytes
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 05 Nov 2011

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system:

  • %Program Files%\LP\4B4B\C29.exe

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files.)

It drops the following non-malicious file:

  • %Application Data%\B0B2D\D6E3.0B2

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)

It creates the following folders:

  • %Application Data%\B0B2D
  • %Program Files%\2D6E3
  • %Program Files%\LP
  • %Program Files%\LP\4B4B

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.. %Program Files% is the default Program Files folder, usually C:\Program Files.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
C29.exe = "%Program Files%\LP\4B4B\C29.exe"

Download Routine

This Trojan connects to the following website(s) to download and execute a malicious file:

  • http://{BLOCKED}dlegion.com/305986.png
  • http://{BLOCKED}dlegion.com/16354.png
  • http://{BLOCKED}dlegion.com/716354_m61.png
  • http://{BLOCKED}k.net/thelab/wiley.jpg
  • http://{BLOCKED}dgesutra.com/img/temp/hi.cgi
  • http://{BLOCKED}dgesutra.com/img/temp/head.png
  • http://{BLOCKED}on.com/134.gif
  • http://{BLOCKED}on.com/132.gif
  • http://{BLOCKED}on.com/133.gif
  • http://{BLOCKED}rmmorpg.com/images/cpc.png
  • http://{BLOCKED}rmmorpg.com/images/cpc2.png
  • http://{BLOCKED}rmmorpg.com/img/intel.gif
  • http://{BLOCKED}rmmorpg.com/img/intel.jpg
  • http://{BLOCKED}pages.com/christian12.jpg
  • http://{BLOCKED}pages.com/christian13.jpg
  • http://{BLOCKED}pages.com/christian14.jpg
  • http://{BLOCKED}untymech.com/g/livechat.png
  • http://{BLOCKED}untymech.com/g/logo.png
  • http://{BLOCKED}untymech.com/g/133.jpg
  • http://{BLOCKED}untymech.com/g/134.jpg
  • http://{BLOCKED}onicstheory.com/pics/valley.png
  • http://{BLOCKED}onicstheory.com/pics/sun.png
  • http://{BLOCKED}cbattletech.com/lhous3.gif
  • http://{BLOCKED}cbattletech.com/lhous4.gif
  • http://{BLOCKED}cbattletech.com/lhous5.gif
  • http://{BLOCKED}cbattletech.com/lhous6.gif
  • http://{BLOCKED}eringcrossing.com/images/misc/23525.png
  • http://{BLOCKED}eringcrossing.com/images/misc/64646.png