TROJ_INJECT.ECD

This Trojan serves as a loader for other possible malicious files. It checks for components. It then creates processes where it will inject its components. It also attempts to execute a file. As a result, malicious routines of executed files are also exhibited on the affected system.

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It does not have any backdoor routine.

It does not have any downloading capability.

It does not have any information-stealing capability.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\
Active Setup\Installed Components\{CA054628-7954-5693-0102-N4GTE76NH543}
Locale = "en"

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\
Active Setup\Installed Components\{CA054628-7954-5693-0103-N4GTE76NH543}
IsInstalled = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\
Active Setup\Installed Components\{CA054628-7954-5693-0102-N4GTE76NH543}
Version = "{malware version}"

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\
Active Setup\Installed Components\{CA054628-7954-5693-0102-N4GTE76NH543}
StubPath = "{malware path and file name}"

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\
Active Setup\Installed Components\{CA054628-7954-5693-0103-N4GTE76NH543}
StubPath = "{malware path and file name}"

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\
Active Setup\Installed Components\{CA054628-7954-5693-0103-N4GTE76NH543}
Version = "{malware version}"

Propagation

This Trojan does not have any propagation routine.

Backdoor Routine

This Trojan does not have any backdoor routine.

Download Routine

This Trojan does not have any downloading capability.

Information Theft

This Trojan does not have any information-stealing capability.

Other Details

This Trojan requires the following additional components to properly run:

• %User Profile%\Microsoft\UsetSet\Hood\detoured.dll
• %User Profile\Microsoft\Usetset\Hood\kbdmon.dll
• %User Profile%\Application Data\Microsoft\Windows\thumbs\csrss.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

NOTES:

It serves as a loader for other possible malicious files.

It checks for the following components:

• %User Profile%\Microsoft\UsetSet\Hood\detoured.dll
• %User Profile%\Microsoft\Usetset\Hood\kbdmon.dll

It then creates any of the following processes where it will inject the above-mentioned components:

• alg.exe
• spoolsv.exe
• wuauclt.exe
• mprexe.exe

It also attempts to execute the following file:

• %User Profile%\Application Data\Microsoft\Windows\thumbs\csrss.exe

As a result, malicious routines of executed files are also exhibited on the affected system.