PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Canal de infección Spammed via email

MEGAD is also known as the Mega-D botnet or Ozdok. This botnet is responsible for sending spammed messages related to ads on male enhancement pills and replica watches.

  TECHNICAL DETAILS

Residente en memoria Yes
Carga útil Sends spammed messages, Connects to URLs/IPs

Installation

This Trojan drops the following copies of itself into the affected system:

  • %System%:svchost.exe
  • %System%\icf.exe
  • %System%\svchost.exe:exe.exe
  • %System%\svchost.exe:ext.exe

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It drops the following non-malicious file:

  • {malware path}\{random}.bat

Autostart Technique

This Trojan registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ICF
Type = "110"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ICF
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ICF
ErrorControl = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ICF
ImagePath = "%System%:svchost.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ICF
ImagePath = "%System%\svchost.exe:exe.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ICF
ImagePath = "%System%\svchost.exe:ext.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ICF
DisplayName = "ICF"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ICF
Group = "TDI"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ICF
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ICF\Security
Security = "{hex values}"

It adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
icf = "%System%\icf.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
icf = "%System%\icf.exe"

It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ICF

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ICF\Security

Other Details

This Trojan connects to the following possibly malicious URL:

  • {BLOCKED}e.info
  • {BLOCKED}a.info
  • {BLOCKED}q.biz
  • {BLOCKED}nloxajz.com
  • {BLOCKED}hazz.com
  • {BLOCKED}dk.0rg
  • {BLOCKED}ndream.org
  • {BLOCKED}ebird.biz
  • {BLOCKED}airnv.biz
  • {BLOCKED}smotors.gs
  • {BLOCKED}ster.neustar
  • {BLOCKED}kalar.info
  • {BLOCKED}dream.info
  • {BLOCKED}razania.net
  • {BLOCKED}kianfuker.com
  • {BLOCKED}zorada.biz
  • {BLOCKED}ttikrak.info
  • {BLOCKED}juq.biz
  • {BLOCKED}rkazana.biz
  • {BLOCKED}yachts.cn
  • {BLOCKED}nora.com
  • {BLOCKED}sa.com
  • {BLOCKED}ngty.info
  • www.{BLOCKED}it.info
  • {BLOCKED}eam.info

  SOLUTION