PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet

This malware family can be downloaded via visiting malicious websites. Its main function is to download other malware onto infected systems thus compromising its security.

  TECHNICAL DETAILS

Memory Resident: Yes
Payload: Downloads files

Installation

This Trojan drops the following files:

  • %System%\msi{random three letters}32.dll

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
MSIDLL = "rundll32.exe %System%\msi{random three letters}32.dll,{random}"

Other System Modifications

This Trojan adds the following registry keys as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
{random}

It creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path}\{malware name} = "{malware path}\{malware name}:*:Enabled:1"

Other Details

This Trojan connects to the following possibly malicious URL:

  • http://{BLOCKED}c.unas.cz/admin/index.php?q={random}
  • http://{BLOCKED}ob.nl/admin/index.php?q={random}
  • http://{BLOCKED}nsle1.la.funpic.de/admin/index.php?q={random}
  • http://{BLOCKED}e.com/upd.php?q={random}
  • http://{BLOCKED}d.com/upd.php?q={random}
  • http://www.{BLOCKED}a.wz.cz/admin/index.php?q={random}
  • http://www.{BLOCKED}astranka.wz.cz/admin/index.php?q={random}
  • http://www.{BLOCKED}iesan.wz.cz/admin/index.php?q={random}
  • http://www.{BLOCKED}e-nemecko.wz.cz/admin/index.php?q={random}
  • http://www.{BLOCKED}e-nemecko2006.wz.cz/admin/index.php?q={random}
  • http://www.{BLOCKED}007.unas.cz/admin/index.php?q={random}
  • http://www.{BLOCKED}epower.wz.cz/adv/index.php?q={random}
  • http://www.{BLOCKED}ug.xf.cz/admin/index.php?q={random}
  • http://www.{BLOCKED}y.mysteria.cz/admin/index.php?q={random}
  • http://www.{BLOCKED}nt1bnt.w8w.pl/admin/index.php?q={random}
  • http://www.{BLOCKED}erin.com/admin/index.php?q={random}