For Consumer

Virus Profile: Generic.dx!bc3c

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 12/8/2011
Date Added: 12/8/2011
Origin: Unknown
Length: Varies
Type: Trojan
Subtype: Generic
DAT Required: 6554
Removal Instructions
   
 
 
   

Description

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases –

Avira -   Rkit/Agent.204800
 

Indication of Infection

Presence of above mentioned files and registry activities.

Methods of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.
   

Virus Characteristics

Upon execution the Trojan drop files in the below location

 %UserProfile%\AppData\Roaming\koino\liveweb_hana\updateagent.exe

And also the Trojan looks for VersionInfo.ini and reads the value stored under the "ComponentLocation" key.

If the "ComponentLocation” key exists, it attempts to download an executable file located at hxxp://[componentlocation]/VERSIONINFO.zip and renames it to LiveWeb_Hana.exe and runs the application.

If the "ComponentLocation” key is not found, it attempts to download the file located at "hxxp://COMPONENTLOCATION/VERSIONINFO.zip"
The same file which is previously downloaded is also copied to %systemdrive%\Users\[Username].exe or %systemdrive%\Documents and Settings\[Username].exe

Upon execution the Trojan tries to connect to the URL below through remote port 80 and listen to an open inbound traffic

 koin[Removed]h.com

The following registry values have been added to the system.

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\MiscStatus\1\: "131473"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\VersionIndependentProgID\: "HanaUpdater.Launcher"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\Version\: "1.0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\TypeLib\: "{GUID}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\ToolboxBitmap32\: "%UserProfile%\Desktop\HANAUPDATER.dll, 101"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\ProgID\: "HanaUpdater.Launcher.1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\MiscStatus\: "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\InprocServer32\: "%UserProfile%\Desktop\HANAUPDATER.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\InprocServer32\ThreadingModel: "Apartment"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\: "Launcher Class"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\TypeLib\: "{GUID}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\TypeLib\Version: "1.0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\ProxyStubClsid32\: "{00020420-0000-0000-C000-000000000046}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\ProxyStubClsid\: "{00020420-0000-0000-C000-000000000046}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\: "_ILauncherEvents"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\TypeLib\: "{GUID}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\TypeLib\Version: "1.0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\ProxyStubClsid32\: "{00020424-0000-0000-C000-000000000046}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\ProxyStubClsid\: "{00020424-0000-0000-C000-000000000046}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\: "ILauncher"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0\0\win32\: "%UserProfile%\Desktop\HANAUPDATER.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0\HELPDIR\: "%UserProfile%\Desktop\"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0\FLAGS\: "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0\: "HanaUpdater 1.0 Type Library"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HanaUpdater.Launcher\CurVer\: "HanaUpdater.Launcher.1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HanaUpdater.Launcher\CLSID\: "{GUID}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HanaUpdater.Launcher\: "Launcher Class"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HanaUpdater.Launcher.1\CLSID\: "{GUID}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HanaUpdater.Launcher.1\: "Launcher Class"

The following registry key values have been modified to the system.

HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKEY_LOCAL_MACHINE_only
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\DisableImprovedZoneCheck

   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).