Analysis by: Karl Dominguez
 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

This Trojan may be downloaded by other malware/grayware/spyware from remote sites. It may be unknowingly downloaded by a user while visiting malicious websites.

It uses Windows Task Scheduler to create a scheduled task that executes the dropped copy.

  TECHNICAL DETAILS

Tamaño del archivo Varies
Tipo de archivo EXE
Residente en memoria Yes
Fecha de recepción de las muestras iniciales 18 May 2011

Arrival Details

This Trojan may be downloaded by other malware/grayware/spyware from remote sites.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This Trojan drops the following copies of itself into the affected system:

  • %Windows%\Gcawoa.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows.)

It uses Windows Task Scheduler to create a scheduled task that executes the dropped copy.

Other System Modifications

This Trojan adds the following registry keys:

HKEY_CURRENT_USER\Software\{random characters}

It adds the following registry entries:

HKEY_CURRENT_USER\Software\{random characters}
{random characters} = {random characters}

Other Details

This Trojan connects to the following possibly malicious URL:

  • http://{BLOCKED}r.com/1wave.php
  • http://{BLOCKED}it.com/1wave.php
  • http://{BLOCKED}ary.com/1wave.php
  • http://{BLOCKED}j.com/1wave.php