Details:
Installation
This Trojan drops the following file(s):
- %Desktop%\INTERNET EXPLORER.LNK - opens the Web site http://www.{BLOCKED}m.com/?{random characters}_{current date when executed
- C:\comine.exe or MyIE.exe or SCVSHTO.exe or KMPlayir.exe - also detected as TROJ_VB.FPW
- C:\text.txt - non-malicious
- C:\toskngr.exe or notepod.exe or notoped.exe or Kuwoi.exe - TROJ_STARTPA.SQ
(Note: %Desktop% is the current user's desktop, which is usually C:\Windows\Profiles\{user name}\Desktop on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Desktop on Windows NT, and C:\Documents and Settings\{User Name}\Desktop on Windows 2000, XP, and Server 2003. )
Autostart Techniques
This Trojan creates the following registry entry(ies) to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run
Bitocmet = "C:\KMPlayir.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run
cimone = "C:\comine.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run
gmail = "c:\toskngr.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run
msdtcc = "C:\notepod.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run
MyIE = "C:\MyIE.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run
pagofile = "c:\notoped.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run
SCVSHTO = "C:\SCVSHTO.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run
UUSeei = "c:\Kuwoi.exe"
Other System Modifications
This Trojan creates the following registry entry(ies) as part of its installation routine:
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\Windows\CURRENTVERSION\
Explorer\HideDesktopIcons\ClassicStartMenu
{871C5380-42A0-1069-A2EA-08002B30309D} = "1"
Internet Explorer Home Page and Search Page Modification
This Trojan modifies the Internet Explorer search page to point to the following Web site:
- http://www.{BLOCKED}com/?29_20081006
Other Details
This Trojan creates the following mutex(es) to ensure that only one instance of itself is running in memory:
It connects to the following possibly malicious URL:
- http://gp.{BLOCKED}m.com/ete.htm
- http://www.{BLOCKED}m.com
- http://www.{BLOCKED}.m.com/sogou.htm
- http://www.{BLOCKED}0..com/
Analysis By: Karl Dominguez
Revision History: