Analysis by: Nikko Tamana

ALIASES:

VBS/DwnLdr-UZE (Sophos)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Trojan employs registry shell spawning by adding certain registry entries. This allows this malware to execute even when other applications are opened.

It modifies Internet Explorer security settings. This puts the affected computer at greater risk, as it allows malicious URLs to be accessed by the computer.

  TECHNICAL DETAILS

File Size: 134,210 bytes
File Type: VBS
Initial Samples Received Date: 09 Jan 2018

Installation

This Trojan drops the following files:

  • %ProgramData%\{random letters}\System
  • %ProgramData%\{random numbers}.exe

(Note: %ProgramData% is the Program Data folder, where it usually is C:\Program Files in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\ProgramData in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops the following copies of itself into the affected system:

  • %ProgramData%\{random letters}\{random letters}.vbs

(Note: %ProgramData% is the Program Data folder, where it usually is C:\Program Files in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\ProgramData in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Autostart Technique

This Trojan creates the following registry entries to enable automatic execution of dropped component at every system startup:

HKCU\Software\Microsoft\
Windows\CurrentVersion\Run
ChromeUpdater = %ProgramData%\{random numbers}.exe

It employs registry shell spawning to ensure its execution when certain file types are accessed by adding the following entries:

HKLM\SOFTWARE\Classes\
{random letters}\shell\open\
command
{Default} = "%ProgramData%\{random letters}\System" "%ProgramData%\{random letters}\{random letters}.vbs" "%1 %2 %3 %4 %5 %6 %7 %8 %9"

HKLM\SOFTWARE\Classes\
{random letters}\shell\runas\
command
{Default} = "%ProgramData%\{random letters}\System" "%ProgramData%\{random letters}\{random letters}.vbs" "%1 %2 %3 %4 %5 %6 %7 %8 %9"

HKLM\SOFTWARE\Classes\
{random letters}\shell\runas
HasLUAShield = {Default}

Other System Modifications

This Trojan adds the following registry keys:

HKLM\SOFTWARE\Classes\
{random letters}

HKLM\SOFTWARE\Classes\
{random letters}\shell

HKLM\SOFTWARE\Classes\
{random letters}\shell\open

HKLM\SOFTWARE\Classes\
{random letters}\shell\open\
command

HKLM\SOFTWARE\Classes\
{random letters}\shell\runas

HKLM\SOFTWARE\Classes\
{random letters}\shell\runas\
command

HKLM\SOFTWARE\Classes\
{random letters}\DefaultIcon

HKLM\SOFTWARE\Classes\
.

HKCU\Software\Vaalberit

It adds the following registry entries as part of its installation routine:

HKLM\SOFTWARE\Classes\
{random letters}\DefaultIcon
{Default} = %1

HKCU\Software\Vaalberit
black = !TEST.EXE!

HKCU\Software
Vaalberit = {random letters}

HKLM\SOFTWARE\Classes\
.exe
{Default} = {random letters}

HKLM\SOFTWARE\Classes\
.
{Default} = exefile

HKCU\Software\Vaalberit
black = 0!0

Web Browser Home Page and Search Page Modification

This Trojan modifies Internet Explorer zone settings.

Download Routine

This Trojan saves the files it downloads using the following names:

  • %ProgramData%\{random letters}\{random alphanumeric characters}.exe

(Note: %ProgramData% is the Program Data folder, where it usually is C:\Program Files in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\ProgramData in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Other Details

This Trojan connects to the following possibly malicious URL:

  • http://54.36{BLOCKED}75//////////ars//////gate.php?os={OS version}&user={Username}&av={installed AV product}&fw={Disk space, Processor, Video card installed}&hwid={Hardware ID}
  • http://54.36{BLOCKED}75//////////ars//////gateb.php?