Detect date
04/13/2010
Class
Trojan-Downloader
Platform
Win32

Parent class: TrojWare

Trojans are malicious programs that perform actions which are not authorized by the user: they delete, block, modify or copy data, and they disrupt the performance of computers or computer networks. Unlike viruses and worms, the threats that fall into this category are unable to make copies of themselves or self-replicate. Trojans are classified according to the type of action they perform on an infected computer.

Class: Trojan-Downloader

Programs classified as Trojan-Downloader download and install new versions of malicious programs, including Trojans and AdWare, on victim computers. Once downloaded from the Internet, the programs are launched or included on a list of programs which will run automatically when the operating system boots up. Information about the names and locations of the programs which are downloaded are in the Trojan code, or are downloaded by the Trojan from an Internet resource (usually a web page). This type of malicious program is frequently used in the initial infection of visitors to websites which contain exploits.

Read more

Platform: Win32

Win32 is an API on Windows NT-based operating systems (Windows XP, Windows 7, etc.) that supports execution of 32-bit applications. One of the most widespread programming platforms in the world.

Description

The Trojan ensures that hidden files cannot be shown by Explorer.exe by modifying the following system registry key parameters:

[HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced]
"Hidden" = "0"
"ShowSuperHidden" = "0"

The Trojan also ensures that file extensions cannot be shown by Explorer.exe by setting the following system registry key parameters:

[HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced]
"HideFileExt" = "1"

In order to prevent these parameters from being reverted, the Trojan disables "Folder Options" in Explorer.exe by setting the following system registry key parameter:

[HKLMSoftwareMicrosoftWindowsCurrentVersionpoliciesexplorer]
"NoFolderOptions" = "1"

The Trojan then creates a hidden folder called "psador18.dll" in the Windows system directory:

%System%ðsàdîr18.dll

The file contains the following email addresses:

ot01_***@mail.ru
ot02_***@mail.ru

The Trojan also extracts a rootkit called "psagor18.sys" from its body. This file will be placed in the Trojan's working directory. This rootkit includes functions which will hide the presence of the "psador18.dll" and "AHTOMSYS19.exe" files. It also gives the Trojan the highest system privileges, making it impossible to delete the Trojan file or terminate Trojan processes.

When the system is shut down, this file will be deleted, but will be recreated when the system is rebooted.

The Trojan tracks the appearance of windows with the following titles:

NOD32 2.5 Control Center
Сканер NOD32 по требованию — [Профиль центра управления — Локально] Сканер NOD32 по требованию — [Профиль контекстного меню] NOD32 — Предупреждение Пpeдупpeждeниe Редактор конфиг урации NOD32 — [Untitled] Антивирус Касперского Personal 0- выполняется проверка… Карантин Настройка обновления Настройка карантина и резервного хранилища Выберите файл для отправки на исследование AVP.MessageDialog AVP.MainWindow AVP.Product_Notification AVP.SettingsWindow AVP.ReportWindow Agnitum Outpost Firewall — configuration.cfg Настройка системы Редактор реестра RegEdit_RegEdit

If the Trojan detects such windows, they will be automatically closed.

The Trojan also looks for flash devices. If it detects any such devices, the Trojan will copy its body as "CDburn.exe", and create a file called "autorun.inf" which contains a link to the Trojan's body. This ensures that the Trojan file will be automatically launched each time the device is connected.

The Trojan also harvests email addresses from the victim machine and sends an email message to them. The email has an empty subject line, and the following contents:

Я незнаю ее там помоему небыло(((… вот, посмотри http://softclub.land.ru/seeing/katie.rar

Read more

Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com

Found an inaccuracy in the description of this vulnerability? Let us know!
Kaspersky Next
Let’s go Next: redefine your business’s cybersecurity
Learn more
New Kaspersky!
Your digital life deserves complete protection!
Learn more
Confirm changes?
Your message has been sent successfully.