TROJ_SMALL_000002d.TOMA
Windows 2000, XP, Server 2003
Threat Type: Trojan
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It connects to certain URLs. It may do this to remotely inform a malicious user of its installation. It may also do this to download possibly malicious files onto the computer, which puts the computer at a greater risk of infection by other threats. As of this writing, the said sites are inaccessible.
TECHNICAL DETAILS
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan drops the following copies of itself into the affected system:
- %Windows%\{random file name}.exe
- %System%\{random file name}.exe
(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
It drops the following files:
- %Windows%\{random file name}.dat
- %System%\{random file name}.dat
(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
Autostart Technique
This Trojan adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
NTSpool = "{malware path and file name}"
Other System Modifications
This Trojan adds the following registry keys:
HKEY_CURRENT_USER\Software\Acti
HKEY_LOCAL_MACHINE\SOFTWARE\Acti
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\MediaResources\msvideo
Download Routine
This Trojan connects to the following malicious URLs:
- {BLOCKED}.{BLOCKED}.160.149:2000
- {BLOCKED}.{BLOCKED}.160.149:2006
- {BLOCKED}.{BLOCKED}.52.176:2000
As of this writing, the said sites are inaccessible.