Modified by: Michael Cabel
 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet, Dropped by other malware

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes then deletes itself afterward.

It connects to certain websites to send and receive information.

  TECHNICAL DETAILS

File Size: Varies
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 27 Dec 2012
Payload: Connects to URLs/IPs, Downloads files

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan injects itself into the following processes running in the affected system's memory:

  • explorer.exe

It executes then deletes itself afterward.

Other Details

This Trojan connects to the following website to send and receive information:

  • {BLOCKED}.{BLOCKED}.128.3:1122

NOTES:

This Trojan enables its automatic execution in every system startup by infecting the following boot records:

  • Master boot record
  • Volume boot record

It takes advantage of the following software vulnerabilities to elevate its escalation privileges:

  • Microsoft Windows AFD Driver Local Privilege Escalation Vulnerability (CVE-2011-2005)
  • Vulnerability in TrueType Font Parsing (CVE-2011-3402)
  • User Access Control (UAC) Bypass Local Privilege Escalation Vulnerability (CVE-2010-4398)

Once it successfully infects the boot records, this Trojan executes a malicious driver code to download and execute other possibly malicious files. As a result, routines of the downloaded files are then exhibited on the affected system.

This Trojan checks if the following applications are present on the affected system:

  • Avira
  • BitDefender
  • Hids
  • Jetico
  • KAV
  • OSSS
  • Outpost
  • PC Tools
  • Symantec

  SOLUTION

Minimum Scan Engine: 9.300
FIRST VSAPI PATTERN FILE: 9.620.05
FIRST VSAPI PATTERN DATE: 27 Dec 2012
VSAPI OPR PATTERN File: 9.621.00
VSAPI OPR PATTERN Date: 28 Dec 2012

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Restore your system's Master Boot Record (MBR)

To restore your system's Master Boot Record (MBR):

• On Windows XP and Server 2003:

  1. Insert your Windows Installation CD into your CD drive then restart your computer.
  2. When prompted, press any key to boot from the CD.
  3. On the Main Menu, type r to enter the Recovery Console.
  4. Type the number that corresponds to the drive and folder that contains Windows (usually C:\WINDOWS) and press Enter.
  5. Type your Administrator password and press Enter.
  6. In the input box, type the following then press Enter:
    fixmbr {affected drive}
  7. Type exit and press Enter to restart the system normally.

• On Windows Vista and 7:

  1. Insert your Windows Installation DVD into the DVD drive, then press the restart button on your computer.
  2. When prompted, press any key to boot from the DVD.
  3. Depending on your Windows Installation DVD, you might be required to choose the installation language. On the Install Windows window, choose your language, locale, and keyboard layout or input method. Click Repair your computer.
  4. Select Use recovery tools that can help fix problems starting Windows. Select your installation of Windows. Click Next.
  5. If the Startup Repair window appears, click Cancel, Yes, then Finish.
  6. In the System Recovery Options menu, click Command Prompt.
  7. In the Command Prompt window, type the following then press Enter:
    BootRec.exe /fixmbr
  8. Type exit and press Enter to close the Command Prompt window.
  9. Click Restart to restart your computer normally.

Step 3

Scan your computer with your Trend Micro product to delete files detected as TROJ_DROPPR.GAP. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 4

Download and apply these security patches Refrain from using these products until the appropriate patches have been installed. Trend Micro advises users to download critical patches upon release by vendors.


Did this description help? Tell us how we did.