TROJ_AVRECON.NVQ
TrojanDropper:Win32/Evotob.A (Microsoft); Trojan.Win32.Waldek.syz (Kaspersky); Win32/Exploit.CVE-2013-3660.L trojan (NOD32)
Windows
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
200,997 bytes
EXE
07 Sep 2018
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan drops the following copies of itself into the affected system:
- %Application Data%\Mozilla\svchoste.exe
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, and 8.)
Other System Modifications
This Trojan adds the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Microsoft Antimalware\Exclusions\Extensions
*.exe = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Microsoft Antimalware\Exclusions\Extensions
*.dll = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Microsoft Antimalware\Exclusions\Extensions
*.tmp = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Microsoft Antimalware\Exclusions\Processes
afwqs.exe = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Microsoft Antimalware\Exclusions\Processes
rgjdu.exe = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Microsoft Antimalware\Exclusions\Processes
explorer.exe = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Microsoft Antimalware\Exclusions\Processes
spoolsv.exe = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Microsoft Antimalware\Exclusions\Processes
rundll32.exe = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Microsoft Antimalware\Exclusions\Processes
consent.exe = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Microsoft Antimalware\Exclusions\Processes
svchost.exe = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows Defender\Exclusions\Extensions
*.exe = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows Defender\Exclusions\Extensions
*.dll = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows Defender\Exclusions\Extensions
*.tmp = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows Defender\Exclusions\Processes
afwqs.exe = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows Defender\Exclusions\Processes
rgjdu.exe = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows Defender\Exclusions\Processes
explorer.exe = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows Defender\Exclusions\Processes
spoolsv.exe = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows Defender\Exclusions\Processes
rundll32.exe = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows Defender\Exclusions\Processes
consent.exe = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows Defender\Exclusions\Processes
svchost.exe = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion
wowsys64datecheck = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion
ZonesSecurityTestUpgrade = 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\publicprofile
EnableFirewall = 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\publicprofile
DoNotAllowExceptions = 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\publicprofile
DisableNotifications = 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile
DoNotAllowExceptions = 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile
DisableNotifications = 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
DoNotAllowExceptions = 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
DisableNotifications = 1
It modifies the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
EnableFirewall = 0
(Note: The default value data of the said registry entry is 1.)
Other Details
This Trojan connects to the following possibly malicious URL:
- {BLOCKED}.{BLOCKED}.26.248:80
- http://{BLOCKED}onized2.cc/lost.dat