Creates the following mutex, so that only one instance of the Trojan runs on the compromised computer at any one time:
_Toolbar_Class_32
Creates the following backup copy of the valid system file %System%\userinit.exe:
%Windir%\system\userinit.exe
The Trojan then creates a copy of itself as the following file, overwriting the original %System%\userinit.exe file in the process:
%System%\userinit.exe
Note:
* %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
* %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Copies itself as the following files:
* %ProgramFiles%\Common Files\system\lsass.exe
* %Windir%\system\ctfmon.exe
Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
Creates the following files:
* %System%\divx5.dll
* %System%\h323.txt
The library file %System%\divx5.dll is a user-mode rootkit that tries to hide the Trojan's processes from the Windows Task Manager utility.
Adds the value:
"ctfmon.exe" = "%Windir%\system\ctfmon.exe"
to the registry subkey:
HKEY_CURRENT_USER\Software\Mcft\Windows\CurrentVer sion\Run
so that it runs every time Windows starts.
Adds the values:
"Userinit" = "%ProgramFiles%\Common Files\system\lsass.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\Software\Mcft\Windows\CurrentVe rsion\Run
so that it runs every time Windows starts.
Adds the value:
"tvr" = "[PATH TO TROJAN EXECUTABLE]"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE
to act as an infection marker.
Adds the value:
"gold" = "[RANDOM ID]"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Mcft
to act as an infection marker.
Adds the values:
"%Windir%\system\ctfmon.exe" = "%Windir%\system\ctfmon.exe:*:Enabled:ctfmon"
"%System%\userinit.exe" = "%System%\userinit.exe:*:Enabled:userinit"
to the registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
in order to bypass Windows Firewall restrictions.
Modifies the values:
SFCDisable" = "FFFFFF9D"
"SFCScan" = "0"
in the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Mcft\Windows NT\CurrentVersion\Winlogon
in order to disable Windows File Protection.
Adds the value:
"System" = ""
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Mcft\Windows NT\CurrentVersion\Winlogon
Deletes all entries under the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Mcft\Windows\CurrentVe rsion\Run
HKEY_CURRENT_USER\SOFTWARE\Mcft\Windows\CurrentVer sion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Mcft\Windows\Explorer\ Browser Helper Objects
Attempts to download a configuration file using one of the following domains:
[
Code:
http://]www.certdreams.com/cm
[REMOVED]
[
Code:
http://]www.certdreams.com/pm
[REMOVED]
[
Code:
http://]www.certdreams.com/down
[REMOVED]
Alternatively, the Trojan may use a domain configured under the following registry entry:
HKEY_LOCAL_MACHINE\Software\Mcft\"d" = "[DOMAIN NAME]"
The Trojan saves this file as the following file:
%System%\cmd.txt
May then modify the hosts file with data copied from a downloaded configuration file, %System%\hst.txt.
Modifies the following .dll files, and any backup copies in the %Windir%\dllcache folder, in order to disable System File Protection:
* %System%\sfc_os.dll
* %System%\sfc.dll
Attempts to close windows that have the following titles, some of which may be security-related:
* Norton Personal Firewall
* Create rule for %s
* Un processus cache requiert une connexion reseau.
* Ne plus afficher cette invite
* Un proceso oculto solicita acceso a la red
* Aceptar
* Warning: Components Have Changed
* &Make changed component shared
* Hidden Process Requests Network Access
* Ein versteckter Prozess verlangt Netzwerkzugriff.
* PermissionDlg
* &Remember this answer the next time I use this program.
* &Yes
* Windows Security Alert
* Allow all activities for this application
* Kerio Personal Firewall Alert
* Create a rule for this communication and don't ask me again.
Attempts to end the following processes:
* WINLDRA.EXE
* NETSCAPE.EXE
* OPERA.EXE
* FIREFOX.EXE
* MOZILLA.EXE
* M00.EXE
* WINTBPX.EXE
* SWCHOST.EXE
* SVOHOST.EXE
* SVC.EXE
* WINSOCK.EXE
Attempts to disable the following programs:
* C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
* C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
Steals the following information and saves it to the %System\h323.txt file:
* POP3 user name
* Password for Internet Explorer AutoComplete
* MSN Explorer Signup account
* The Bat! configuration file
Searches for the following strings in the Web browser:
* cahoot
* egg
* if.com
* smile
* first
* nation
* abbey
* natwest
* citi
* barclay
* allianc
* bank
* hsbc
* lloyd
* nwolb
* online
* hali
* npbs
* marbles
* trade
* e-gold
* rbs.
Logs the following data, related to Web browsing activities, in the file %System\h323.txt:
* URLs visited
* Radio button and checkbox status
* Keystrokes
Posts all the log files it creates to a Web site defined by the remote attacker. The Trojan also sends the following data, which it gathers from the compromised computer, to this Web site:
* Username
* Opened port number
* Connection type (modem or LAN)
Opens a proxy server on a random TCP port.
use it your own risk
_Toolbar_Class_32
Creates the following backup copy of the valid system file %System%\userinit.exe:
%Windir%\system\userinit.exe
The Trojan then creates a copy of itself as the following file, overwriting the original %System%\userinit.exe file in the process:
%System%\userinit.exe
Note:
* %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
* %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Copies itself as the following files:
* %ProgramFiles%\Common Files\system\lsass.exe
* %Windir%\system\ctfmon.exe
Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
Creates the following files:
* %System%\divx5.dll
* %System%\h323.txt
The library file %System%\divx5.dll is a user-mode rootkit that tries to hide the Trojan's processes from the Windows Task Manager utility.
Adds the value:
"ctfmon.exe" = "%Windir%\system\ctfmon.exe"
to the registry subkey:
HKEY_CURRENT_USER\Software\Mcft\Windows\CurrentVer sion\Run
so that it runs every time Windows starts.
Adds the values:
"Userinit" = "%ProgramFiles%\Common Files\system\lsass.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\Software\Mcft\Windows\CurrentVe rsion\Run
so that it runs every time Windows starts.
Adds the value:
"tvr" = "[PATH TO TROJAN EXECUTABLE]"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE
to act as an infection marker.
Adds the value:
"gold" = "[RANDOM ID]"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Mcft
to act as an infection marker.
Adds the values:
"%Windir%\system\ctfmon.exe" = "%Windir%\system\ctfmon.exe:*:Enabled:ctfmon"
"%System%\userinit.exe" = "%System%\userinit.exe:*:Enabled:userinit"
to the registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
in order to bypass Windows Firewall restrictions.
Modifies the values:
SFCDisable" = "FFFFFF9D"
"SFCScan" = "0"
in the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Mcft\Windows NT\CurrentVersion\Winlogon
in order to disable Windows File Protection.
Adds the value:
"System" = ""
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Mcft\Windows NT\CurrentVersion\Winlogon
Deletes all entries under the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Mcft\Windows\CurrentVe rsion\Run
HKEY_CURRENT_USER\SOFTWARE\Mcft\Windows\CurrentVer sion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Mcft\Windows\Explorer\ Browser Helper Objects
Attempts to download a configuration file using one of the following domains:
[
Code:
http://]www.certdreams.com/cm
[REMOVED]
[
Code:
http://]www.certdreams.com/pm
[REMOVED]
[
Code:
http://]www.certdreams.com/down
[REMOVED]
Alternatively, the Trojan may use a domain configured under the following registry entry:
HKEY_LOCAL_MACHINE\Software\Mcft\"d" = "[DOMAIN NAME]"
The Trojan saves this file as the following file:
%System%\cmd.txt
May then modify the hosts file with data copied from a downloaded configuration file, %System%\hst.txt.
Modifies the following .dll files, and any backup copies in the %Windir%\dllcache folder, in order to disable System File Protection:
* %System%\sfc_os.dll
* %System%\sfc.dll
Attempts to close windows that have the following titles, some of which may be security-related:
* Norton Personal Firewall
* Create rule for %s
* Un processus cache requiert une connexion reseau.
* Ne plus afficher cette invite
* Un proceso oculto solicita acceso a la red
* Aceptar
* Warning: Components Have Changed
* &Make changed component shared
* Hidden Process Requests Network Access
* Ein versteckter Prozess verlangt Netzwerkzugriff.
* PermissionDlg
* &Remember this answer the next time I use this program.
* &Yes
* Windows Security Alert
* Allow all activities for this application
* Kerio Personal Firewall Alert
* Create a rule for this communication and don't ask me again.
Attempts to end the following processes:
* WINLDRA.EXE
* NETSCAPE.EXE
* OPERA.EXE
* FIREFOX.EXE
* MOZILLA.EXE
* M00.EXE
* WINTBPX.EXE
* SWCHOST.EXE
* SVOHOST.EXE
* SVC.EXE
* WINSOCK.EXE
Attempts to disable the following programs:
* C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
* C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
Steals the following information and saves it to the %System\h323.txt file:
* POP3 user name
* Password for Internet Explorer AutoComplete
* MSN Explorer Signup account
* The Bat! configuration file
Searches for the following strings in the Web browser:
* cahoot
* egg
* if.com
* smile
* first
* nation
* abbey
* natwest
* citi
* barclay
* allianc
* bank
* hsbc
* lloyd
* nwolb
* online
* hali
* npbs
* marbles
* trade
* e-gold
* rbs.
Logs the following data, related to Web browsing activities, in the file %System\h323.txt:
* URLs visited
* Radio button and checkbox status
* Keystrokes
Posts all the log files it creates to a Web site defined by the remote attacker. The Trojan also sends the following data, which it gathers from the compromised computer, to this Web site:
* Username
* Opened port number
* Connection type (modem or LAN)
Opens a proxy server on a random TCP port.
use it your own risk
Post a Comment