For Home

Virus Profile: Generic Dropper

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 9/10/2003
Date Added: 9/2/2003
Origin: Unknown
Length: Varies
Type: Trojan
Subtype: Dropper
DAT Required: 6844
Removal Instructions
   
 
 
   

Description

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Indication of Infection

Presence of above mentioned files and registry activities.

Methods of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.
   

Virus Characteristics

-------------------Updated on 27 sep, 2012------------------------------------

Aliases –

  • Microsoft -  Worm:Win32/Pushbot.VV
  • Nod32  -  Win32/Injector.WYF trojan (variant)
  • Fortinet - W32/Injector.WYF

Generic Dropper” is detection for a Trojan which download other malware to system. It may also collect system information and send to the remote attacker.

Upon execution the Trojan tries to connect the following IP Address in order to download other payloads.

  • mining.eli[Removed].st:8337
  • ra.mining.eli[Removed].st:8337
  • 246.167. [Removed].206:5500
  • 206.253. [Removed].246
  • 78.47. [Removed].252  
  • hxxp://69.31. [Removed].5/pro/dl/z3kid
  • hxxp://69.31. [Removed].29/dlpro/99c6b7169471c892c9e5741ee371be6a/50644edd/z3kid4/operation1.exe
  • sen[Removed]e.com
  • fs06n5.sen[Removed]e.com
  • bli[Removed].kz
  • hxxp://ufa[Removed].com/coin
  • hxxp://www.send[Removed].com/pro/dl/65kzce
  • hxxp://www.send[Removed].com/pro/dl/t314ax

Captured Post Method:

  •  POST / HTTP/1.1. 
    .Authorization:  
    Basic MThnVmNwWD 
    FocGc0eHp0QmJkaW 
    VBQkJoZmtGS1NGM3 
    Jldzp4..Content- 
    Length: 43..X-Mi 
    ning-Extensions: 
     hostlist longpo 
    ll midstate nonc 
    erange rollntime 
     switchto..User- 
    Agent: Ufasoft ( 
    Windows NT XP 5. 
    1.2600 Service P 
    ack 2) ..Host: m 
    ining.eligius.st 
    :8337..Cache-Con 
    trol: no-cache.. 
    ..{"method": "ge 
    twork", "params" 
    : [], "id":0}    
  • POST / HTTP/1.1
    Authorization: Basic MThnVmNwWDFocGc0eHp0QmJkaWVBQkJoZmtGS1NGM3Jldzp4
    Content-Length: 43
    X-Mining-Extensions: hostlist longpoll midstate noncerange rollntime switchto
    User-Agent: Ufasoft (Windows NT XP 5.1.2600 Service Pack 2)
    Host: mining.eligius.st:8337
    Cache-Control: no-cache
    {"method": "getwork", "params": [], "id":0}HTTP/1.1 200 OK
    Content-Length: 542
    X-Roll-NTime: expire=120
    X-Long-Polling: /LP
    Server: Eloipool
    Date: Thu, 27 Sep 2012 13:09:02 GMT
    Content-Type: application/json
    {"result": {"data": "000000021d4253f11d102163c591f9ab62e7a6b74a9db60f1e24ab910000008d00000000de981a911bc13c07b88b920efb1c4c0b20461eb11464d52e05f87daac85befd650644fee1a05db8b456c6f69000000800000000000000000000000000000000000000000000000000000000000000000000000000000000080020000", "hash1": "00000000000000000000000000000000000000000000000000000000000000000000008000000000000000000000000000000000000000000000000000010000", "target": "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000", "submitold": true}, "id": 0, "error": null}POST / HTTP/1.1
    Authorization: Basic MThnVmNwWDFocGc0eHp0QmJkaWVBQkJoZmtGS1NGM3Jldzp4
    Content-Length: 43
    X-Mining-Extensions: hostlist longpoll midstate noncerange rollntime switchto
    User-Agent: Ufasoft (Windows NT XP 5.1.2600 Service Pack 2)
    Host: mining.eligius.st:8337
    Cache-Control: no-cache
    {"method": "getwork", "params": [], "id":0}HTTP/1.1 200 OK
    Content-Length: 542
    X-Roll-NTime: expire=120
    X-Long-Polling: /LP
    Server: Eloipool
    Date: Thu, 27 Sep 2012 13:09:02 GMT
    Content-Type: application/json
    {"result": {"data": "000000021d4253f11d102163c591f9ab62e7a6b74a9db60f1e24ab910000008d0000000025b526072d16078d7a376aed7d66e1b4231f8fbf135ab81f626d4ac03df63b8250644fee1a05db8b456c6f69000000800000000000000000000000000000000000000000000000000000000000000000000000000000000080020000", "hash1": "00000000000000000000000000000000000000000000000000000000000000000000008000000000000000000000000000000000000000000000000000010000", "target": "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000", "submitold": true}, "id": 0, "error": null}POST / HTTP/1.1
    Authorization: Basic MThnVmNwWDFocGc0eHp0QmJkaWVBQkJoZmtGS1NGM3Jldzp4
    Content-Length: 43
    X-Mining-Extensions: hostlist longpoll midstate noncerange rollntime switchto
    User-Agent: Ufasoft (Windows NT XP 5.1.2600 Service Pack 2)
    Host: mining.eligius.st:8337
    Cache-Control: no-cache
    {"method": "getwork", "params": [], "id":0}HTTP/1.1 200 OK
    Content-Length: 542
    X-Roll-NTime: expire=120
    X-Long-Polling: /LP
    Server: Eloipool
    Date: Thu, 27 Sep 2012 13:09:03 GMT
    Content-Type: application/json
    {"result": {"data": "000000021d4253f11d102163c591f9ab62e7a6b74a9db60f1e24ab910000008d0000000052cb8eda76cf17f02c824175d459b54bb40eb24fd287fcc28be9ad13e531be2b50644fef1a05db8b456c6f69000000800000000000000000000000000000000000000000000000000000000000000000000000000000000080020000", "hash1": "00000000000000000000000000000000000000000000000000000000000000000000008000000000000000000000000000000000000000000000000000010000", "target": "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000", "submitold": true}, "id": 0, "error": null}

 Upon execution the Trojan drops the payloads in the following location:

  • %Appdata%\con64.exe
  • %Appdata%\w64.exe
  • %Appdata%\ Lqgalabfiybgjcdw.exe
  • %Temp%\jmezewnkykkslha.exe
  • %UsersProfile%\Local Settings\Temporary Internet Files\Content.IE5\6PAR438P\DCIM8384673278x86[1].png
  • : [RemovableDrive]\hYDguxl
  • : [RemovableDrive]\hyDguxl\hyDguxl.exe
  • : [RemovableDrive]\[Foldername]
  • : [RemovableDrive]\Desktop.ini
  • : [RemovableDrive]\autorun.inf

    And the Trojan drops an autorun.inf file into the root of all removable drives and mapped drives in an attempt to autorun an executable when the drive is accessed.

    The file "AutoRun.inf" is pointing to the malware binary executable, when the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

    The autorun.inf is configured to launch the Trojan file via the following shell commands.

    XAÇ6EXë<1+M&}VàpÏ8C:Mx+ºÿ,3Ç7ÇV7ÿ[!Q]k!e×+º&UqI!XM7óYY}p^&zîkZ].}©}e+2^HñH0aÿQm}mãPOyXAÇ6EXë<1+M&}VàpÏ8C:Mx+ºÿ,3Ç7ÇV7ÿ[!Q]k!e×+º&UqI!XM7óYY}p^&zîkZ].}©}e+2^HñH0aÿQm}mãPOy
    XAÇ6EXë<1+M&}VàpÏ8C:Mx+ºÿ,3Ç7ÇV7ÿ[!Q]k!e×+º&UqI!XM7óYY}p^&zîkZ].}©}e+2^HñH0aÿQm}mãPOyXAÇ6EXë<1+M&}VàpÏ8C:Mx+ºÿ,3Ç7ÇV7ÿ[!Q]k!e×+º&UqI!XM7óYY}p^&zîkZ].}©}e+2^HñH0aÿQm}mãPOy
    XAÇ6EXë<1+M&}VàpÏ8C:Mx+ºÿ,3Ç7ÇV7ÿ[!Q]k!e×+º&UqI!XM7óYY}p^&zîkZ].}©}e+2^HñH0aÿQm}mãPOyXAÇ6EXë<1+M&}VàpÏ8C:Mx+ºÿ,3Ç7ÇV7ÿ[!Q]k!e×+º&UqI!XM7óYY}p^&zîkZ].}©}e+2^HñH0aÿQm}mãPOyXAÇ6EXë<1+M&}VàpÏ8C:Mx+ºÿ,3Ç7ÇV7ÿ[!Q]k!e×+º&UqI!XM7óYY}p^&zîkZ].}©}e+2^HñH0aÿQm}mãPOyXAÇ6EXë<1+M&}VàpÏ8C:Mx+ºÿ,3Ç7ÇV7ÿ[!Q]k!e×+º&UqI!XM7óYY}p^&zîkZ].}©}e+2^HñH0aÿQm}mãPOyXAÇ6EXë<1+M&}VàpÏ8C:Mx+ºÿ,3Ç7ÇV7ÿ[!Q]k!e×+º&UqI!XM7óYY}p^&zîkZ].}©}e+2^HñH0aÿQm}mãPOy
    [autorun]
    XAÇ6EXë<1+M&}VàpÏ8C:Mx+ºÿ,3Ç7ÇV7ÿ[!Q]k!e×+º&UqI!XM7óYY}p^&zîkZ].}©}e+2^HñH0aÿQm}mãPOyXAÇ6EXë<1+M&}VàpÏ8C:Mx+ºÿ,3Ç7ÇV7ÿ[!Q]k!e×+º&UqI!XM7óYY}p^&zîkZ].}©}e+2^HñH0aÿQm}mãPOy
    XAÇ6EXë<1+M&}VàpÏ8C:Mx+ºÿ,3Ç7ÇV7ÿ[!Q]k!e×+º&UqI!XM7óYY}p^&zîkZ].}©}e+2^HñH0aÿQm}mãPOy

    open=G:\hYDguxl\hYDguxl.exe
    XAÇ6EXë<1+M&}VàpÏ8C:Mx+ºÿ,3Ç7ÇV7ÿ[!Q]k!e×+º&UqI!XM7óYY}p^&zîkZ].}©}e+2^HñH0aÿQm}mãPOy
    XAÇ6EXë<1+M&}VàpÏ8C:Mx+ºÿ,3Ç7ÇV7ÿ[!Q]k!e×+º&UqI!XM7óYY}p^&zîkZ].}©}e+2^HñH0aÿQm}mãPOyXAÇ6EXë<1+M&}VàpÏ8C:Mx+ºÿ,3Ç7ÇV7ÿ[!Q]k!e×+º&UqI!XM7óYY}p^&zîkZ].}©}e+2^HñH0aÿQm}mãPOyXAÇ6EXë<1+M&}VàpÏ8C:Mx+ºÿ,3Ç7ÇV7ÿ[!Q]k!e×+º&UqI!XM7óYY}p^&zîkZ].}©}e+2^HñH0aÿQm}mãPOyXAÇ6EXë<1+M&}VàpÏ8C:Mx+ºÿ,3Ç7ÇV7ÿ[!Q]k!e×+º&UqI!XM7óYY}p^&zîkZ].}©}e+2^HñH0aÿQm}mãPOy
    icon=%SystemRoot%\system32\SHELL32.dll,7
    XAÇ6EXë<1+M&}VàpÏ8C:Mx+ºÿ,3Ç7ÇV7ÿ[!Q]k!e×+º&UqI!XM7óYY}p^&zîkZ].}©}e+2^HñH0aÿQm}mãPOyXAÇ6EXë<1+M&}VàpÏ8C:Mx+ºÿ,3Ç7ÇV7ÿ[!Q]k!e×+º&UqI!XM7óYY}p^&zîkZ].}©}e+2^HñH0aÿQm}mãPOy
    XAÇ6EXë<1+M&}VàpÏ8C:Mx+ºÿ,3Ç7ÇV7ÿ[!Q]k!e×+º&UqI!XM7óYY}p^&zîkZ].}©}e+2^HñH0aÿQm}mãPOy
    UseAutoPlay=1
    XAÇ6EXë<1+M&}VàpÏ8C:Mx+ºÿ,3Ç7ÇV7ÿ[!Q]k!e×+º&UqI!XM7óYY}p^&zîkZ].}©}e+2^HñH0aÿQm}mãPOyXAÇ6EXë<1+M&}VàpÏ8C:Mx+ºÿ,3Ç7ÇV7ÿ[!Q]k!e×+º&UqI!XM7óYY}p^&zîkZ].}©}e+2^HñH0aÿQm}mãPOyXAÇ6EXë<1+M&}VàpÏ8C:Mx+ºÿ,3Ç7ÇV7ÿ[!Q]k!e×+º&UqI!XM7óYY}p^&zîkZ].}©}e+2^HñH0aÿQm}mãPOy
    shell\Explore\Command=G:\hYDguxl\hYDguxl.exe
    XAÇ6EXë<1+M&}VàpÏ8C:Mx+ºÿ,3Ç7ÇV7ÿ[!Q]k!e×+º&UqI!XM7óYY}p^&zîkZ].}©}e+2^HñH0aÿQm}mãPOy
    XAÇ6EXë<1+M&}VàpÏ8C:Mx+ºÿ,3Ç7ÇV7ÿ[!Q]k!e×+º&UqI!XM7óYY}p^&zîkZ].}©}e+2^HñH0aÿQm}mãPOyXAÇ6EXë<1+M&}VàpÏ8C:Mx+ºÿ,3Ç7ÇV7ÿ[!Q]k!e×+º&UqI!XM7óYY}p^&zîkZ].}©}e+2^HñH0aÿQm}mãPOy
    shell\open\command=G:\hYDguxl\hYDguxl.exe
    XAÇ6EXë<1+M&}VàpÏ8C:Mx+ºÿ,3Ç7ÇV7ÿ[!Q]k!e×+º&UqI!XM7óYY}p^&zîkZ].}©}e+2^HñH0aÿQm}mãPOyXAÇ6EXë<1+M&}VàpÏ8C:Mx+ºÿ,3Ç7ÇV7ÿ[!Q]k!e×+º&UqI!XM7óYY}p^&zîkZ].}©}e+2^HñH0aÿQm}mãPOyXAÇ6EXë<1+M&}VàpÏ8C:Mx+ºÿ,3Ç7ÇV7ÿ[!Q]k!e×+º&UqI!XM7óYY}p^&zîkZ].}©}e+2^HñH0aÿQm}mãPOy
    XAÇ6EXë<1+M&}VàpÏ8C:Mx+ºÿ,3Ç7ÇV7ÿ[!Q]k!e×+º&UqI!XM7óYY}p^&zîkZ].}©}e+2^HñH0aÿQm}mãPOyXAÇ6EXë<1+M&}VàpÏ8C:Mx+ºÿ,3Ç7ÇV7ÿ[!Q]k!e×+º&UqI!XM7óYY}p^&zîkZ].}©}e+2^HñH0aÿQm}mãPOy

    The following registry values have been added to the system.

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Lqgalabfiybgjcdw.exe"%Appdata%Lqgalabfiybgjcdw.exe"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lqgalabfiybgjcdw.exe
    • "%Appdata%Lqgalabfiybgjcdw.exe"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Manager
    •  %Appdata%con64.exe

    The above mentioned registry ensures that the Trojan registers run entry with the compromised system and execute itself upon every reboot.

    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable :0
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass:1
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable:0
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable:0

    The above registry entries confirm that the Trojan tries to disable the proxy settings.

    Below are the commands used by the remote attacker in order to collect system information from the compromised machine.

    • GetSystemInfo
    • GetNativeSystemInfo

    -----------------------------------------------------------------------------------------------------------------------------------------------------

     

This detection covers certain self-extracting trojan droppers (or installers).  This detection is too broad to provide specific information about any one sample.  However, malicious files dropped by Generic Dropper trojans will also be detected; typically by name, for which specific details are usually available.
   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).