TROJ_PHULLI.A

This Worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Worm drops the following files:

• %Application Data%\conhost\Guard\1
• %Application Data%\conhost\Screenshots\{DATE}\{TIME}
• %Application Data%\rat.exe
• %Application Data%\svchost.exe
• %Application Data%\Windows Update.exe
• %Program Files%\Client\svchost.exe
• %System%\clientmonitor.exe
• %System%\Tasks\adorbe
• %User Startup%\BGInfo.lnk

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, and 8.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), 7 (32-bit), and 8 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), 7 (64-bit), and 8 (64-bit).. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, C:\Documents and Settings\{User name}\Start Menu\Programs\Startup on Windows XP, or C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup on Windows Vista, 7, and 8.)

It creates the following folders:

• %Application Data%\conhost\Logs
• %Application Data%\conhost\Files
• %Application Data%\conhost\Screenshot
• %Application Data%\conhost\Guard

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, and 8.)

Other System Modifications

This Worm adds the following registry entries:

HKEY_CURRENT_USER\Software\s
sgrbBHDMOetyRkExVphQ== = RFTOim3TdAczhLTaDSizdxjwt336geGUtGenylg+am0=

HKEY_CURRENT_USER\Software\ZGDbZx4E
XnSXF8mqincQA== = 4fbtXk5r4LkQK0vi0v2OsQZ10pFACK4j4YqRkpj7sEs=

HKEY_CURRENT_USER\Software
MTX = 0bcf24549a8536869fa6e8c81d24506f35b5fbb1

HKEY_CURRENT_USER\Software
PTH = "%Program Files%\Client\svchost.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Winlogon
shell = "explorer.exe,"%System%\clientmonitor.exe""

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Schedule\
TaskCache\Tree\adorbe
Index = "3"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunOnce
adorbe = "cmd /c "start "adorbe" "%Program Files%\Client\svchost.exe""

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Update = %Application Data%\svehost.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Update = %Application Data%\svehost.exe

Other Details

This Worm connects to the following possibly malicious URL:

• enugu0421.{BLOCKED}s.net
• s.{BLOCKED}d.com
• sw.{BLOCKED}d.com
• s.{BLOCKED}b.com
• sw.{BLOCKED}b.com
• s2.{BLOCKED}b.com
• s1.{BLOCKED}b.com
• sv.{BLOCKED}d.com
• sv.{BLOCKED}b.com
• ss.{BLOCKED}d.com
• gn.{BLOCKED}d.com

It adds the following scheduled tasks:

• • Name: adorbe
  • Trigger: on startup
  • Executes: Program Files%\Client\svchost.exe