Trojan-Downloader.Win32.VB

Detect Date 04/13/2010
Class Trojan-Downloader
Platform Win32
Description

The Trojan ensures that hidden files cannot be shown by Explorer.exe by modifying the following system registry key parameters:

[HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced]

“Hidden” = “0”

“ShowSuperHidden” = “0”

The Trojan also ensures that file extensions cannot be shown by Explorer.exe by setting the following system registry key parameters:

[HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced]

“HideFileExt” = “1”

In order to prevent these parameters from being reverted, the Trojan disables “Folder Options” in Explorer.exe by setting the following system registry key parameter:

[HKLMSoftwareMicrosoftWindowsCurrentVersionpoliciesexplorer]

“NoFolderOptions” = “1”

The Trojan then creates a hidden folder called “psador18.dll” in the Windows system directory:

%System%ðsàdîr18.dll

The file contains the following email addresses:

ot01_***@mail.ru
ot02_***@mail.ru

The Trojan also extracts a rootkit called “psagor18.sys” from its body. This file will be placed in the Trojan’s working directory. This rootkit includes functions which will hide the presence of the “psador18.dll” and “AHTOMSYS19.exe” files. It also gives the Trojan the highest system privileges, making it impossible to delete the Trojan file or terminate Trojan processes.

When the system is shut down, this file will be deleted, but will be recreated when the system is rebooted.

The Trojan tracks the appearance of windows with the following titles:

NOD32 2.5 Control Center

Сканер NOD32 по требованию — [Профиль центра управления — Локально]

Сканер NOD32 по требованию — [Профиль контекстного меню]

NOD32 — Предупреждение

Пpeдупpeждeниe

Редактор конфиг
урации NOD32 — [Untitled]

Антивирус Касперского Personal

0- выполняется проверка…

Карантин

Настройка обновления

Настройка карантина и резервного хранилища

Выберите файл для отправки на исследование

AVP.MessageDialog

AVP.MainWindow

AVP.Product_Notification

AVP.SettingsWindow

AVP.ReportWindow

Agnitum Outpost Firewall — configuration.cfg

Настройка системы

Редактор реестра

RegEdit_RegEdit

If the Trojan detects such windows, they will be automatically closed.

The Trojan also looks for flash devices. If it detects any such devices, the Trojan will copy its body as “CDburn.exe”, and create a file called “autorun.inf” which contains a link to the Trojan’s body. This ensures that the Trojan file will be automatically launched each time the device is connected.

The Trojan also harvests email addresses from the victim machine and sends an email message to them. The email has an empty subject line, and the following contents:

Я незнаю ее там помоему небыло(((… вот, посмотри http://softclub.land.ru/seeing/katie.rar