Analysis by: Michelle Morales

ALIASES:

Trojan:Win32/EqtonDrag.A!dha (Microsoft); HEUR:Trojan.Win32.EquationDrug.gen (Kaspersky); Trojan.Win32.Dottun (Ikarus); a variant of Win32/Dottun.AA (ESET); Trojan.Equdrug (Symantec)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It scans the computer for registry keys related to antivirus and security applications. This action allows the malware to possibly avoid detection in the computer.

It executes the files it drops, prompting the affected system to exhibit the malicious routines they contain.

  TECHNICAL DETAILS

File Size: 380,928 bytes
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 17 Feb 2015

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Other System Modifications

This Trojan scans the system for the following registry keys, which are related to antivirus and security applications:

Zone Labs\TrueVector

Zone Labs\ZoneAlarm

KasperskyLab

Network Ice\BlackIce

Agnitum\Outpost Firewall

Sygate Technologies, Inc.\Sygate Personal Firewall

Norman

Data Fellows\F-Secure

PWI, Inc.

rising

Softwin

network associates\tvd\shared components\
on access scanner\behaviourblocking\FileBlockEnabled_27!=0

network associates\tvd\shared components\
on access scanner\behaviourblocking\FileBlockEnabled_28!=0

network associates\tvd\shared components\
on access scanner\behaviourblocking\FileBlockEnabled_29!=0

network associates\tvd\shared components\
on access scanner\behaviourblocking\FileBlockEnabled_30!=0

McAfee\ePolicy Orchestrator\Application Plugins\
VIRUSCAN8600

Sophos

CA\CAPF

CA\HIPSEngine

Cisco

Symantec\IDS

Symantec\Norton 360

Symantec\Internet Security\SuiteOwnerGuid

Symantec\Norton AntiBot

Symantec\Symantec Endpoint Protection

Tiny Software\Tiny Firewall

CyberMedia Inc\Guard Dog

McAfee\Guard Dog

McAfee\McAfee Firewall

McAfee\Personal Firewall

McAfee.com\Personal Firewall

Network Associates\McAfee Fire

Kerio

BullGuard Ltd.\BullGuard

TheGreenBow

Panda Software\Firewall

TrendMicro\PC-cillin

ComputerAssociates\eTrust Suite Personal\pfw

Grisoft\Firewall\

Dropping Routine

This Trojan drops the following files:

  • %System%\msnadt.exe --> this file deletes itself after execution

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It executes the files it drops, prompting the affected system to exhibit the malicious routines they contain.

NOTES:

If any of the aforementioned registry keys are present, this malware terminates itself without performing its initially intended routine.

  SOLUTION

Minimum Scan Engine: 9.700
FIRST VSAPI PATTERN FILE: 11.484.01
FIRST VSAPI PATTERN DATE: 17 Feb 2015
VSAPI OPR PATTERN File: 11.485.00
VSAPI OPR PATTERN Date: 18 Feb 2015

Scan your computer with your Trend Micro product to delete files detected as TROJ_DOTTUN.VTH. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.