TROJ_MUFANOM.DH

 Analysis by: kathleenno

 ALIASES:

Downloader (Symantec); Trojan:Win32/Hiloti.gen!D (Microsoft); Trojan-Downloader.Win32.Mufanom.avqq (Kaspersky); Hiloti.gen.p (Mcafee); Mal/Hiloti-D (Sophos)

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW


This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size:

87,040 bytes

File Type:

DLL

Memory Resident:

Yes

Initial Samples Received Date:

14 Apr 2011

Payload:

Creates files, Drops files, Modifies system registry

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following files:

  • %Windows%\{random name}.dll
  • %User Profile%\Local Settings\Application Data\{Random CLSID for Firefox}\chrome.manifest
  • %User Profile%\Local Settings\Application Data\{Random CLSID for Firefox}\chrome\content\_cfg.js
  • %User Profile%\Local Settings\Application Data\{Random CLSID for Firefox}\chrome\content\overlay.xul
  • %User Profile%\Local Settings\Application Data\{Random CLSID for Firefox}\install.rdf

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.. %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

It creates the following folders:

  • %User Profile%\Local Settings\Application Data\{Random CLSID for Firefox}

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random} = rundll32.exe "{malware path and filename}",Startup

Other System Modifications

This Trojan adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\
Firefox\Extensions
{Random CLSID for Firefox} = "%User Profile%\Local Settings\Application Data\{Random CLSID for Firefox}"

It adds the following registry keys as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\{random characters}