Virus Profile: Generic.dx!tjv

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 8/15/2010
Date Added: 8/15/2010
Origin: N/A
Length: Varies
Type: Trojan
Subtype: Generic
DAT Required: 6075
Removal Instructions
   
 
 
   

Description

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

File Information

  • MD5  -  61B82A650B1F0ABDC57C05DCF072015B
  • SHA  - 7040DF995A8B3D6EFD3A5ABD143A5BEF50115CBC

Aliases

  • NOD32      - Win32/Naprat.E
  • Ikarus         - P2P-Worm.Win32.BlackControl
  • Kaspersky  - P2P-Worm.Win32.BlackControl.d
  • Symantec    - W32.Ackantta!gen

Indication of Infection

  • Presence of above mentioned files and registry keys.
  • Presence unexpected network connection to the above mentioned IP Address.

Methods of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.
   

Virus Characteristics

Upon execution, the Trojan copies itself into the following location:

  • %Windir%\system32\HPWuSchde.exe (Hidden) [Detected as Generic.dx!tjv]
  • [Removable Drive]:\RECYCLER\S-1-(Varies)\redmond.exe (Hidden) [Detected as Generic.dx!tjv]

And drop the following files:

  • %Appdata%\SystemProc\lsass.exe
  • %Program Files%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
  • %Program Files%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
  • %Program Files%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
  • %Windir%\system32\reader_sl.exe
  • %Windir%\areader.dll
  • %Windir%\reader_sl.exe
  • [Removable Drive]:\autorun.inf (Hidden)
  • %SYSTEMDRIVE%\RECYCLER\S-1-(Varies)\Desktop.ini (Hidden)

The following folders have been added into the system:

  • [Removable Drive]:\RECYCLER
  • [Removable Drive]:\RECYCLER\S-1-(Varies)

This Trojan also attempts to create an autorun.inf file on the root of any accessible disk volumes:

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The autorun.inf is configured to launch the Trojan file via the following command syntax.

  • [autorun]
  • open=RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\redmond.exe
  • icon=%SystemRoot%\system32\SHELL32.dll,4
  • action=Open folder to view files
  • shell\open=Open
  • shell\open\command=RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\redmond.exe
  • shell\open\default=1

The following registry keys have been added to the system.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{384552B3-1U3X-4C80-LSLR-6R4F32484KW7}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
  • HKEY_LOCAL_MACHINE\SOFTWARE\HP91
  • HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
  • HKEY_CURRENT_USER\S-1-(Varies)\Software\HP91

The following registry values have been added to the system.

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{384552B3-1U3X-4C80-LSLR-6R4F32484KW7}\]
    “StubPath” = ""%Windir%\reader_sl.exe""
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\]
    “RTHDBPL” = “%Appdata%\SystemProc\lsass.exe
  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\]
    “Adobe Reader Speed Launcher” = "%Windir%\reader_sl.exe"
  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
    "HP Software Updater II" = "%Windir%\system32\HPWuSchde.exe"
  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
    “Adobe Reader Speed Launcher” = "%Windir%\reader_sl.exe"

Above mentioned registries ensures that, the Trojan registers itself with the compromised system and execute itself upon every boot.

The Trojan registers itself as an authorized application with the Windows Firewall by adding the following value to the registry key.

  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\]
    “HPWuSchde.exe” = "%WINDIR%\system32\HPWuSchde.exe:*:Enabled:Explorer"

The Trojan disables the windows User Access Control (UAC) alerts by adding the following value to the registry key.

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\]
    "UACDisableNotify:" = "0x00000001"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\]
    "EnableLUA:" = "0x00000000"

The following registry values have been modified:

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ERSvc\
    Start = 0x00000004

The above mentioned registry entry confirms that, the worm disables the Error Reporting Service (ERSvc).

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\]
    "DisableSR:"="0x00000001"

The above mentioned registry entry confirms that the Trojan disables the system restore function.

The Trojan connects to "Whatismyip.com" to get the victim's IP address.

Also, this Trojan injects its malicious code into explorer.exe, iexplore.exe and connects to the following IP address.

  • 67.214.[Removed].149 through remote port 80.
  • 204.13.[Removed].126 through remote port 443.

[%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000), %Program Files%\ is C:\Program Files and %Appdata%\ is the Application data folder]

   

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95