Analysis by: MarfelTi
 Modified by: Sabrina Lei Sioting

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size: 55,808 bytes
File Type: DLL
Initial Samples Received Date: 13 Sep 2011

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Autostart Technique

This Trojan registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srv2DC
ImagePath = "%System Root%\system32\svchost.exe -k netsvcs"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srv2DC
DisplayName = "srv2DC"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Minimal\
srv2DC
default = "service"

Other System Modifications

This Trojan adds the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Minimal\
srv2DC

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srv2DC

It creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile\GloballyOpenPorts\
List
67:UDP = "67:UDP:*:Enabled:DHCP Server"

Download Routine

This Trojan accesses the following websites to download files:

  • http://{BLOCKED}8.{BLOCKED}9.89.121/X