TROJ_SMALL.LJF

Malware type: Trojan

In the wild: No

Language: English

Overall risk rating:

Reported infections:

Damage potential:

Low

Distribution potential:

Low

Description: 

A Trojan horse program is a malware that is not capable of automatically spreading to other systems. Trojans are usually downloaded from the Internet and installed by unsuspecting users.

Trojans typically carry payloads or other malicious actions that can range from the mildly annoying to the irreparably destructive. They may also modify system settings to automatically start. Restoring affected systems may require procedures other than scanning with an antivirus program.

For additional information about this threat, see:

TECHNICAL DETAILS


File type: PE

Memory resident:  No

Size of malware: 32,768 Bytes

Details:

Installation

This Trojan drops the following file(s)/component(s):

  • %System%\WINSYSTEM.EXE
  • %System%\WINSYSTEM1.EXE
  • %System%\WINSYSTEM2.EXE
  • %System%\WINSYSTEM3.EXE
  • %Temporary Internet Files%\Content.IE5\UH90UXRF\globo[1].htm

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.%Temporary Internet Files% is usually C:\Documents and Settings\{user name}\Local Settings\Temporary Internet Files. )

Other System Modifications

This Trojan creates the following registry key(s)/entry(ies):

HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\
Windows\CURRENTVERSION\Explorer\
UserAssist\
{75048700-EF1F-11D0-9888-006097DEACF9}\Count\
HRZR_EHACNGU:P:\Cebtenz Svyrf\Vagrearg Rkcybere\vrkcyber.rkr

It modifies the following registry key(s)/entry(ies) as part of its installation routine:

HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\
Windows\CURRENTVERSION\Explorer
FaultCount = "0"

(Note: The default value data for the said registry entry is 1.)

HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\
Windows\CURRENTVERSION\Explorer
FaultTime = "0"

(Note: The default value data for the said registry entry is 1644dd.)

Download Routine

This Trojan connects to the following Web site(s):

  • http://{BLOCKED}.{BLOCKED}.85.130/~down/2.jpg
  • http://{BLOCKED}.{BLOCKED}.85.130/~down/3.jpg
  • http://www.{BLOCKED}enoisvois.com/imagens/1.jpg
  • http://www.{BLOCKED}enoisvois.com/imagens/2.jpg

Other Details

This Trojan creates the following mutex(es) to ensure that only one instance of itself is running in memory:

  • _SHuassist.mtx
  • ExplorerIsShellMutex
  • HGFSMUTEX

It connects to the following possibly malicious URL:

  • http://{BLOCKED}.{BLOCKED}.85.130/~down/2.jpg
  • http://{BLOCKED}.{BLOCKED}.85.130/~down/3.jpg

Affected Platforms

This Trojan runs on Windows 98, ME, NT, 2000, XP, Server 2003.


Revision History:

First pattern file version: 6.426.01
First pattern file release date: Sep 07, 2009