TROJ_SULUNCH.VI

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be downloaded by other malware/grayware from remote sites.

It does not have any propagation routine.

It does not have any backdoor routine.

It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be downloaded by the following malware/grayware from remote sites:

• BKDR_ANDROM.WEY

It may be downloaded from the following remote sites:

• http://{BLOCKED}.{BLOCKED}.137.91/images/0/saner.exe

Installation

This Trojan drops the following component file(s):

• %User Temp%\{random}.tmp\starter.bat - deleted afterwards
• %User Temp%\{random}.tmp\wget.exe - moved to %Windows%\AppUpdate afterwards
• %User Temp%\{random}.tmp\updater.exe - also detected as TROJ_SULUNCH.VI, moved to %Windows%\AppUpdate afterwards
• %User Temp%\{random}.tmp\waitfor.exe - moved to %Windows%\AppUpdate afterwards
• %User Temp%\{random}.tmp\elevate.exe - deleted afterwards
• %User Temp%\ztmp\t{random number}.exe
• %User Temp%\ztmp\t{random number}.bat
• %Windows%\AppUpdate\wget.exe
• %Windows%\AppUpdate\updater.exe - also detected as TROJ_SULUNCH.VI
• %Windows%\AppUpdate\waitfor.exe

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %Windows% is the Windows folder, which is usually C:\Windows.)

It creates the following folders:

• %User Temp%\ztmp
• %User Temp%\afolder
• %User Temp%\{random}.tmp - deleted afterwards
• %Windows%\AppUpdate

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %Windows% is the Windows folder, which is usually C:\Windows.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
AppUpdate = "%Windows%\AppUpdate\updater.exe"

Propagation

This Trojan does not have any propagation routine.

Backdoor Routine

This Trojan does not have any backdoor routine.

Download Routine

This Trojan connects to the following URL(s) to download its component file(s):

• http://{BLOCKED}ad1.fileshare.pw/32.exe - detected as TROJ_SULUNCH.VK
• http://{BLOCKED}ad1.fileshare.pw/update/32.exe - detected as TROJ_KRYPTIK.DWN
• http://{BLOCKED}ad1.fileshare.pw/update/updater_32_1.exe - detected as TROJ_KRYPTIK.DWN
• http://{BLOCKED}ad1.hyips.pw/update.exe (inaccessible)
• http://{BLOCKED}ad1.hyips.pw/update/update.exe (inaccessible)
• http://{BLOCKED}ad1.microliteupdate.net/update.exe (inaccessible)
• http://{BLOCKED}ad1.microliteupdate.net/update/update.exe (inaccessible)
• http://{BLOCKED}ad1.onlinefile.pw/32.exe (inaccessible)
• http://{BLOCKED}ad1.onlinefile.pw/update/32.exe (inaccessible)
• http://{BLOCKED}ad1.onlinefile.pw/update/updater_32_1.exe (inaccessible)

It saves the files it downloads using the following names:

• %User Temp%\32.exe
• %User Temp%\update.exe
• %User Temp%\updater_32_1.exe

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

NOTES:

It does not have rootkit capabilities.

It does not exploit any vulnerability.