Kartikey Sapra
Creates the following mutex, so that only one instance of the Trojan runs on the compromised computer at any one time:


Creates the following backup copy of the valid system file %System%\userinit.exe:


The Trojan then creates a copy of itself as the following file, overwriting the original %System%\userinit.exe file in the process:


* %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
* %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Copies itself as the following files:

* %ProgramFiles%\Common Files\system\lsass.exe
* %Windir%\system\ctfmon.exe

Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

Creates the following files:

* %System%\divx5.dll
* %System%\h323.txt

The library file %System%\divx5.dll is a user-mode rootkit that tries to hide the Trojan's processes from the Windows Task Manager utility.

Adds the value:

"ctfmon.exe" = "%Windir%\system\ctfmon.exe"

to the registry subkey:

HKEY_CURRENT_USER\Software\Mcft\Windows\CurrentVer sion\Run

so that it runs every time Windows starts.

Adds the values:

"Userinit" = "%ProgramFiles%\Common Files\system\lsass.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\Software\Mcft\Windows\CurrentVe rsion\Run

so that it runs every time Windows starts.

Adds the value:


to the registry subkey:


to act as an infection marker.

Adds the value:

"gold" = "[RANDOM ID]"

to the registry subkey:


to act as an infection marker.

Adds the values:

"%Windir%\system\ctfmon.exe" = "%Windir%\system\ctfmon.exe:*:Enabled:ctfmon"
"%System%\userinit.exe" = "%System%\userinit.exe:*:Enabled:userinit"

to the registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List

in order to bypass Windows Firewall restrictions.

Modifies the values:

SFCDisable" = "FFFFFF9D"
"SFCScan" = "0"

in the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Mcft\Windows NT\CurrentVersion\Winlogon

in order to disable Windows File Protection.

Adds the value:

"System" = ""

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Mcft\Windows NT\CurrentVersion\Winlogon

Deletes all entries under the following registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Mcft\Windows\CurrentVe rsion\Run
HKEY_CURRENT_USER\SOFTWARE\Mcft\Windows\CurrentVer sion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Mcft\Windows\Explorer\ Browser Helper Objects

Attempts to download a configuration file using one of the following domains:








Alternatively, the Trojan may use a domain configured under the following registry entry:


The Trojan saves this file as the following file:


May then modify the hosts file with data copied from a downloaded configuration file, %System%\hst.txt.

Modifies the following .dll files, and any backup copies in the %Windir%\dllcache folder, in order to disable System File Protection:

* %System%\sfc_os.dll
* %System%\sfc.dll

Attempts to close windows that have the following titles, some of which may be security-related:

* Norton Personal Firewall
* Create rule for %s
* Un processus cache requiert une connexion reseau.
* Ne plus afficher cette invite
* Un proceso oculto solicita acceso a la red
* Aceptar
* Warning: Components Have Changed
* &Make changed component shared
* Hidden Process Requests Network Access
* Ein versteckter Prozess verlangt Netzwerkzugriff.
* PermissionDlg
* &Remember this answer the next time I use this program.
* &Yes
* Windows Security Alert
* Allow all activities for this application
* Kerio Personal Firewall Alert
* Create a rule for this communication and don't ask me again.

Attempts to end the following processes:

* M00.EXE

Attempts to disable the following programs:

* C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
* C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

Steals the following information and saves it to the %System\h323.txt file:

* POP3 user name
* Password for Internet Explorer AutoComplete
* MSN Explorer Signup account
* The Bat! configuration file

Searches for the following strings in the Web browser:

* cahoot
* egg
* if.com
* smile
* first
* nation
* abbey
* natwest
* citi
* barclay
* allianc
* bank
* hsbc
* lloyd
* nwolb
* online
* hali
* npbs
* marbles
* trade
* e-gold
* rbs.

Logs the following data, related to Web browsing activities, in the file %System\h323.txt:

* URLs visited
* Radio button and checkbox status
* Keystrokes

Posts all the log files it creates to a Web site defined by the remote attacker. The Trojan also sends the following data, which it gathers from the compromised computer, to this Web site:

* Username
* Opened port number
* Connection type (modem or LAN)

Opens a proxy server on a random TCP port.
use it your own risk

Labels: ,
0 Responses

Post a Comment