TROJ_ANDROMED.ER

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes then deletes itself afterward.

It connects to certain URLs. It may do this to remotely inform a malicious user of its installation. It may also do this to download possibly malicious files onto the computer, which puts the computer at a greater risk of infection by other threats.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system:

• %All Users Profile%\Local Settings\Temp\ms{random}.{extension name}
• %User Temp%\ms{random}.{extension name} (user with no admin rights)

(Note: %All Users Profile% is the All Users or Common profile folder, which is C:\Documents and Settings\All Users in Windows 2000, XP, and Server 2003, and C:\ProgramData in Windows Vista and 7.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It executes then deletes itself afterward.

It injects codes into the following process(es):

• %Windows%\system32\wuauclt.exe
• %Windows%\syswow64\svchost.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run
{random number} = "%All Users Profile%\Local Settings\Temp\ms{random}.{extension name}"

Download Routine

This Trojan connects to the following malicious URLs:

• http://{BLOCKED}update.net/page/image.php

NOTES:
This Trojan terminates itself if the following processes are found running in the affected system's memory:

• vmwareservice.exe
• vmwareuser.exe
• vboxservice.exe
• vboxtray.exe
• wireshark.exe

This Trojan checks if it is running under a virtual environment by querying the following registry value:

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Disk\Enum
0

It will terminates itself if the 9th, 10th, 11th and 12th characters of the data of the aforementioned registry value is equal to any of the following:

• wmwa
• vbox
• qemu

The extension name of its dropped copy may be any of the following:

• BAT
• CMD
• COM
• EXE
• PIF
• SCR