MEGAD
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Spammed via email
MEGAD is also known as the Mega-D botnet or Ozdok. This botnet is responsible for sending spammed messages related to ads on male enhancement pills and replica watches.
TECHNICAL DETAILS
Yes
Sends spammed messages, Connects to URLs/IPs
Installation
This Trojan drops the following copies of itself into the affected system:
- %System%:svchost.exe
- %System%\icf.exe
- %System%\svchost.exe:exe.exe
- %System%\svchost.exe:ext.exe
(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)
It drops the following non-malicious file:
- {malware path}\{random}.bat
Autostart Technique
This Trojan registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ICF
Type = "110"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ICF
Start = "2"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ICF
ErrorControl = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ICF
ImagePath = "%System%:svchost.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ICF
ImagePath = "%System%\svchost.exe:exe.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ICF
ImagePath = "%System%\svchost.exe:ext.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ICF
DisplayName = "ICF"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ICF
Group = "TDI"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ICF
ObjectName = "LocalSystem"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ICF\Security
Security = "{hex values}"
It adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
icf = "%System%\icf.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
icf = "%System%\icf.exe"
It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ICF
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ICF\Security
Other Details
This Trojan connects to the following possibly malicious URL:
- {BLOCKED}e.info
- {BLOCKED}a.info
- {BLOCKED}q.biz
- {BLOCKED}nloxajz.com
- {BLOCKED}hazz.com
- {BLOCKED}dk.0rg
- {BLOCKED}ndream.org
- {BLOCKED}ebird.biz
- {BLOCKED}airnv.biz
- {BLOCKED}smotors.gs
- {BLOCKED}ster.neustar
- {BLOCKED}kalar.info
- {BLOCKED}dream.info
- {BLOCKED}razania.net
- {BLOCKED}kianfuker.com
- {BLOCKED}zorada.biz
- {BLOCKED}ttikrak.info
- {BLOCKED}juq.biz
- {BLOCKED}rkazana.biz
- {BLOCKED}yachts.cn
- {BLOCKED}nora.com
- {BLOCKED}sa.com
- {BLOCKED}ngty.info
- www.{BLOCKED}it.info
- {BLOCKED}eam.info