Virus Profile: Generic.dx!bc3c

Virus Characteristics

Upon execution the Trojan drop files in the below location

 %UserProfile%\AppData\Roaming\koino\liveweb_hana\updateagent.exe

And also the Trojan looks for VersionInfo.ini and reads the value stored under the "ComponentLocation" key.

If the "ComponentLocation” key exists, it attempts to download an executable file located at hxxp://[componentlocation]/VERSIONINFO.zip and renames it to LiveWeb_Hana.exe and runs the application.

If the "ComponentLocation” key is not found, it attempts to download the file located at "hxxp://COMPONENTLOCATION/VERSIONINFO.zip"
The same file which is previously downloaded is also copied to %systemdrive%\Users\[Username].exe or %systemdrive%\Documents and Settings\[Username].exe

Upon execution the Trojan tries to connect to the URL below through remote port 80 and listen to an open inbound traffic

 koin[Removed]h.com

The following registry values have been added to the system.

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\MiscStatus\1\: "131473"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\VersionIndependentProgID\: "HanaUpdater.Launcher"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\Version\: "1.0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\TypeLib\: "{GUID}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\ToolboxBitmap32\: "%UserProfile%\Desktop\HANAUPDATER.dll, 101"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\ProgID\: "HanaUpdater.Launcher.1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\MiscStatus\: "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\InprocServer32\: "%UserProfile%\Desktop\HANAUPDATER.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\InprocServer32\ThreadingModel: "Apartment"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\: "Launcher Class"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\TypeLib\: "{GUID}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\TypeLib\Version: "1.0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\ProxyStubClsid32\: "{00020420-0000-0000-C000-000000000046}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\ProxyStubClsid\: "{00020420-0000-0000-C000-000000000046}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\: "_ILauncherEvents"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\TypeLib\: "{GUID}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\TypeLib\Version: "1.0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\ProxyStubClsid32\: "{00020424-0000-0000-C000-000000000046}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\ProxyStubClsid\: "{00020424-0000-0000-C000-000000000046}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\: "ILauncher"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0\0\win32\: "%UserProfile%\Desktop\HANAUPDATER.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0\HELPDIR\: "%UserProfile%\Desktop\"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0\FLAGS\: "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0\: "HanaUpdater 1.0 Type Library"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HanaUpdater.Launcher\CurVer\: "HanaUpdater.Launcher.1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HanaUpdater.Launcher\CLSID\: "{GUID}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HanaUpdater.Launcher\: "Launcher Class"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HanaUpdater.Launcher.1\CLSID\: "{GUID}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HanaUpdater.Launcher.1\: "Launcher Class"

The following registry key values have been modified to the system.

HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKEY_LOCAL_MACHINE_only
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\DisableImprovedZoneCheck