Trojan-Dropper.Win32.Checkin

Class Trojan-Dropper
Platform Win32
Description

Technical Details

Checkin is a “downloader” trojan that downloads a given file from a certain site and runs it. The trojan itself is a Windows PE EXE file, written in MS Visual C++.

The trojan file sizes are of the following approximate sizes:

“Checkin.a”: 50Kb
“Checkin.b”: 45Kb

The trojan EXE file does not copy itself to any directory but creates a system registry auto-run key:

 "Checkin.a": 

 HKCUSoftwareMicrosoftWindowsCurrentVersionRun
  SysReg = %SystemDir%SysReg

 "Checkin.b": 

 HKCUSoftwareMicrosoftWindowsCurrentVersionRun
  OWMngr = %SystemDir%OWMngr.exe

It seems that the trojan program should be completed by an “installator” that performs all steps for installing the trojan program into the system.

The trojan program also creates more registry keys:

 HKCUSoftwareIExplore   Ads
   AID
   ID
   LoggedIn

It uses these keys for its ‘internal’ needs.

Checkin then becomes an active process (this process is visible in the task list), downloads a file from a Web site, stores it on the hard disk using the name update.exe and executes this file.

The Web site name and remote file URL can vary. The Checkin trojan downloads this information from another Web site:

 
 "Checkin.a":  http://tp.searchseekfind.com
 "Checkin.b":  http://ads.onwebmedia.com
  

At these locations the trojan uses the “Checkin.pl” file.