Analysis by: Jasen Sumalapao
 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It uses icons similar to those of legitimate applications to entice a user to click them.

This file contains a URL where it connects to possibly download other files. It deletes itself after execution.

  TECHNICAL DETAILS

Tamaño del archivo 49,152 bytes
Tipo de archivo EXE
Fecha de recepción de las muestras iniciales 24 Jun 2012

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops a copy of itself in the following folders using different file names:

  • %User Profile%\{User Name}\Local Settings\Application Data\(Random Filename).exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

It injects itself into the following processes running in the affected system's memory:

  • svchost.exe

Autostart Technique

This Trojan registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random characters} = %User Profile%\{User Name}\Local Settings\Application Data\{random filename}.exe

Propagation

This Trojan uses icons similar to those of legitimate applications to entice a user to click them.

Other Details

This file contains a URL where it connects to possibly download other files. As of this writing, this file contains the following URLs:

  • http://bing.com/{BLOCKED}u/index.php?r=gate&gh=
  • http://twitter.com/{BLOCKED}l/index.php?r=gate&ac=
  • http://{BLOCKED}lands2012.ru/forum/index.php?r=gate&id=
  • http://google.com/{BLOCKED}h/index.php?r=gate&cc=
  • http://fb.com/{BLOCKED}h/index.php?r=gate&fg=
  • http://{BLOCKED}-of10.ru/forum index.php?r=gate&id=
  • http://{BLOCKED}aof.ru/forum/index.php?r=gate&id=
  • http://{BLOCKED}obin20.ru/forum/index.php?r=gate&id=

It deletes itself after execution.