TROJ64_SKELKI.Z-A

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following files:

• %User Temp%\yy{random}.tmp - TROJ64_SKELKI.Z-A
• %System32%\mccf.dll - TROJ64_SKELKI.Z-A

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Autostart Technique

This Trojan starts the following services:

• sensvr

Other System Modifications

This Trojan adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Tecnent.

NOTES:

This malware checks if the computer is any of the following 64-bit operating versions:

• Windows Server 2003 (NT 5.2)
• Windows Server 2008 (NT 6.0)
• Windows Server 2008 R2 (NT 6.1)

It searches for the process lsass.exe and checks if the following modules exist:

• msv1_0.dll
• kdcsvc.dll
• cryptdll.dll
• samsrv.dll

It obtains addresses for the following API:

• CDLocateCSystem (cryptdll.dll)
• SamIRetrieveMultiplePrimaryCredentials (samsrv.dll)
• SamIRetrievePrimaryCredentials (samsrv.dll)

It patches or hooks the obtained API address with an allotted memory in order to bypass password authentication. This allows a malicious user to use domain accounts with an injected password.