ALIASES:

Monkif, Myxa

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel: Dropped by other malware, Downloaded from the Internet

MONKIF malware are components of a botnet called ExeDot. These components are used to access certain websites to download other malware onto already infected systems. Moreover, MONKIF malware also terminate processes related to antivirus and firewall programs to avoid early detection and subsequent removal on the systems.

This malware family of Trojans can be downloaded on malicious websites or dropped by other malware. It is also installed as a Browser Helper Object (BHO).

  TECHNICAL DETAILS

Payload: Connects to URLs/IPs, Drops files, Downloads files, Terminates processes

Installation

This Trojan drops the following files:

  • %User Temp%\msfat32
  • %User Temp%\msmonitor
  • %User Temp%\{random file name}.tmp

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

Other System Modifications

This Trojan adds the following registry entries:

HKEY_CLASSES_ROOT\CLSID\{random CLSID}
ThreadingModel = "Apartment"

HKEY_CLASSES_ROOT\CLSID\{random CLSID}
(Default) = "%User Temp%\msfat32"

HKEY_CLASSES_ROOT\PROTOCOLS\Filter\
text/html
CLSID = "{random CLSID}"

HKEY_CLASSES_ROOT\PROTOCOLS\Filter\
text/html
(Default) = "Microsoft Improved HTML MIME Filter"

HKEY_CURRENT_USER\Software\CLSID\
{Random UUID}\InProcServer32
(Default) = "{Malware Path and File Name}"

HKEY_CURRENT_USER\Software\CLSID\
{Random UUID}\InProcServer32
ThreadingModel = "Apartment"

HKEY_CURRENT_USER\Software\Classes\
PROTOCOLS\Filter\text/html
{Default} = "Microsoft Improved HTML MIME Filter"

HKEY_CURRENT_USER\Software\Classes\
PROTOCOLS\Filter\text/html
CLSID = "{Random UUID}"

Other Details

This Trojan connects to the following possibly malicious URL:

  • www.{BLOCKED}ies.com/photo/{random characters}.php?{random characters}={encrypted code for the running processes}
  • http://www.{BLOCKED}iaz.com/photo/{random}.php?{random}
  • http://www.{BLOCKED}litzk.com/photo/{random}.php?{random}
  • http://{BLOCKED}ncy.com/cgi/{random characters}.php?{random characters}={encrypted code for the running processes}
  • http://ww1.{BLOCKED}ncy.com/cgi/{random characters}.php?{random characters}={encrypted code for the running processes
  • http://{BLOCKED}s.com/cgi/{random characters}.php?{random characters}={encrypted code for the running processes
  • http://{BLOCKED}ing.com/?{random}={random}