Virus Characteristics
Upon execution the Trojan drop files in the below location
%UserProfile%\AppData\Roaming\koino\liveweb_hana\updateagent.exe
And also the Trojan looks for VersionInfo.ini and reads the value stored under the "ComponentLocation" key.
If the "ComponentLocation” key exists, it attempts to download an executable file located at hxxp://[componentlocation]/VERSIONINFO.zip and renames it to LiveWeb_Hana.exe and runs the application.
If the "ComponentLocation” key is not found, it attempts to download the file located at "hxxp://COMPONENTLOCATION/VERSIONINFO.zip"
The same file which is previously downloaded is also copied to %systemdrive%\Users\[Username].exe or %systemdrive%\Documents and Settings\[Username].exe
Upon execution the Trojan tries to connect to the URL below through remote port 80 and listen to an open inbound traffic
koin[Removed]h.com
The following registry values have been added to the system.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\MiscStatus\1\: "131473"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\VersionIndependentProgID\: "HanaUpdater.Launcher"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\Version\: "1.0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\TypeLib\: "{GUID}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\ToolboxBitmap32\: "%UserProfile%\Desktop\HANAUPDATER.dll, 101"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\ProgID\: "HanaUpdater.Launcher.1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\MiscStatus\: "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\InprocServer32\: "%UserProfile%\Desktop\HANAUPDATER.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\InprocServer32\ThreadingModel: "Apartment"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\: "Launcher Class"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\TypeLib\: "{GUID}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\TypeLib\Version: "1.0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\ProxyStubClsid32\: "{00020420-0000-0000-C000-000000000046}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\ProxyStubClsid\: "{00020420-0000-0000-C000-000000000046}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\: "_ILauncherEvents"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\TypeLib\: "{GUID}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\TypeLib\Version: "1.0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\ProxyStubClsid32\: "{00020424-0000-0000-C000-000000000046}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\ProxyStubClsid\: "{00020424-0000-0000-C000-000000000046}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\: "ILauncher"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0\0\win32\: "%UserProfile%\Desktop\HANAUPDATER.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0\HELPDIR\: "%UserProfile%\Desktop\"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0\FLAGS\: "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0\: "HanaUpdater 1.0 Type Library"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HanaUpdater.Launcher\CurVer\: "HanaUpdater.Launcher.1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HanaUpdater.Launcher\CLSID\: "{GUID}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HanaUpdater.Launcher\: "Launcher Class"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HanaUpdater.Launcher.1\CLSID\: "{GUID}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HanaUpdater.Launcher.1\: "Launcher Class"
The following registry key values have been modified to the system.
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKEY_LOCAL_MACHINE_only
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\DisableImprovedZoneCheck