Kaspersky Threats

Class

Platform

Description

Technical Details

Checkin is a “downloader” trojan that downloads a given file from a certain site and runs it. The trojan itself is a Windows PE EXE file, written in MS Visual C++.

The trojan file sizes are of the following approximate sizes:

“Checkin.a”: 50Kb
“Checkin.b”: 45Kb

The trojan EXE file does not copy itself to any directory but creates a system registry auto-run key:

 "Checkin.a": 

 HKCUSoftwareMicrosoftWindowsCurrentVersionRun
  SysReg = %SystemDir%SysReg

 "Checkin.b": 

 HKCUSoftwareMicrosoftWindowsCurrentVersionRun
  OWMngr = %SystemDir%OWMngr.exe

It seems that the trojan program should be completed by an “installator” that performs all steps for installing the trojan program into the system.

The trojan program also creates more registry keys:

 HKCUSoftwareIExplore   Ads
   AID
   ID
   LoggedIn

It uses these keys for its ‘internal’ needs.

Checkin then becomes an active process (this process is visible in the task list), downloads a file from a Web site, stores it on the hard disk using the name update.exe and executes this file.

The Web site name and remote file URL can vary. The Checkin trojan downloads this information from another Web site:

 
 "Checkin.a":  http://tp.searchseekfind.com
 "Checkin.b":  http://ads.onwebmedia.com

At these locations the trojan uses the “Checkin.pl” file.

Class	Trojan-Dropper
Platform	Win32
Description	Technical Details Checkin is a “downloader” trojan that downloads a given file from a certain site and runs it. The trojan itself is a Windows PE EXE file, written in MS Visual C++. The trojan file sizes are of the following approximate sizes: “Checkin.a”: 50Kb “Checkin.b”: 45Kb The trojan EXE file does not copy itself to any directory but creates a system registry auto-run key: "Checkin.a": HKCUSoftwareMicrosoftWindowsCurrentVersionRun SysReg = %SystemDir%SysReg "Checkin.b": HKCUSoftwareMicrosoftWindowsCurrentVersionRun OWMngr = %SystemDir%OWMngr.exe It seems that the trojan program should be completed by an “installator” that performs all steps for installing the trojan program into the system. The trojan program also creates more registry keys: HKCUSoftwareIExplore Ads AID ID LoggedIn It uses these keys for its ‘internal’ needs. Checkin then becomes an active process (this process is visible in the task list), downloads a file from a Web site, stores it on the hard disk using the name update.exe and executes this file. The Web site name and remote file URL can vary. The Checkin trojan downloads this information from another Web site: "Checkin.a": http://tp.searchseekfind.com "Checkin.b": http://ads.onwebmedia.com At these locations the trojan uses the “Checkin.pl” file.

Trojan-Dropper.Win32.Checkin

Technical Details