Internet threat level: 1
Home→Descriptions→Trojan-Downloader.Win32.Deliver.m
Trojan-Downloader.Win32.Deliver.m
| Detected | Mar 24 2011 22:00 GMT |
| Released | Mar 25 2011 02:40 GMT |
Summary
- Trojan-Banker. Steals confidential information from banks, financial institutions and payment systems
Technical details
File size of 16896 bytes.
Installation
Creates the following files on an infected computer:
-
Current user directory (usually, C:\Documents and Settings\
) %UserDir%\Local Settings\Application Data\dqb.exe -
Current user directory (usually, C:\Documents and Settings\
) %UserDir%\Local Settings\Application Data\31qt8om02q6286p0m4hxnxfbvo841orm3vm053m871a7xr2 - Directory of users' settings%Documents and Settings%\All Users\Application Data\31qt8om02q6286p0m4hxnxfbvo841orm3vm053m871a7xr2
-
Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\
\Local Settings\Temp) %Temp%\31qt8om02q6286p0m4hxnxfbvo841orm3vm053m871a7xr2 -
Current user directory (usually, C:\Documents and Settings\
) %UserDir%\Templates\31qt8om02q6286p0m4hxnxfbvo841orm3vm053m871a7xr2 -
Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\
\Local Settings\Temp) %Temp%\srv8D8.tmp (Kaspersky Anti-Virus detects as Trojan.Win32.Diple.jdi) -
Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\
\Local Settings\Temp) %Temp%\1.tmp
Malicious activity
Steals confidential user information from
A malicious program designed to steal user information related to banking and electronic payment systems and bank cards. The information is sent to a cybercriminal via email, ftp, the web or other methods.
Read more details here: http://www.viruslist.com/en/analysis?pubid=204792037the following banks, financial institutions, payment systems:
- Caja Madrid
- Windows system directory (usually, C:\Windows\System32) %System%\mynvdley.dll
Ensures subsequent Using the system registry, system services or special system files, the program can launch itself or launch the creation of its files every time the Windows OS is subsequently booted autorun of installed files:
by adding values to autorun keys in the system registry:
[ System registry hive HKEY_LOCAL_MACHINEHKLM\SYSTEM\ControlSet001\Control\SecurityProviders ] "SecurityProviders" = "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mynvdley.dll"
Injects its code into the following processes:
- svchost.exe
Modifies security settings by changing (or deleting) Windows registry keys:
[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Security Center ] "AntiVirusDisableNotify" = "0x1"
Description:
Enables/disables the display of Windows Security Center pop-up messages about the antivirus status
[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Security Center ] "AntiVirusOverride" = "0x1"
Description:
Specifies the settings of the Windows Security Center
[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Security Center ] "FirewallDisableNotify" = "0x1"
Description:
Enables/disables the display of Windows Security Center pop-up messages about the firewall status
[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Security Center ] "FirewallOverride" = "0x1"
Description:
Specifies the settings of the Windows Security Center
[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Security Center ] "UpdatesDisableNotify" = "0x1"
Description:
Enables/disables the display of Windows Security Center pop-up messages about the status of the Windows Update service
Deletes or modifies the system registry keys shown below in order to prevent correct functioning of antivirus solutions:
[ System registry hive HKEY_LOCAL_MACHINEHKLM\SYSTEM\ControlSet001\Services\SharedAccess ] "Start" = "0x4"
Searches computers with the following IP addresses and open ports:
| Zone | 204.*.*.* |
| Port | 20480 |
Connects to to the following Internet addresses:
- ***.50.194.251:20480
- ***.197.183.51:20480
- ***.197.137.244:20480
- ***.197.183.52:20480
- ***.50.198.51:20480
- ***.46.232.182:20480
- ***.208.150.90:20480
- ***.208.150.212:20480
- ***.208.152.146:20480
- ***.208.150.172:20480
- ***.208.150.213:20480
- ***.208.152.149:20480
Creates unique identifiers to flag its presence in the system
- ir4cnxm3oi333
- {C9A34C77-4D69-45EC-A07D-83242376045D}D68DDC3A-831F-4FAE-9E44-DA132C1ACF46
Uses the masks shown below to search for files on the victim machine:
- *.*
Other activities
Runs the following files (commands):
- \"
Current user directory (usually, C:\Documents and Settings\
) %UserDir%\Local Settings\Application Data\dqb.exe\" -gav Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp) %Temp%\lol2.exe - \"
Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\
\Local Settings\Temp) %Temp%\pod.exe\" - \"
Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\
\Local Settings\Temp) %Temp%\spm.exe\"
Searches for the following windows:
| Class: | msascui_class |
Modifies the system registry keys:
[ System registry hive HKEY_LOCAL_MACHINEHKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile ] "EnableFirewall" = "0x0"
[ System registry hive HKEY_LOCAL_MACHINEHKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile ] "DoNotAllowExceptions" = "0x0"
[ System registry hive HKEY_LOCAL_MACHINEHKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile ] "DisableNotifications" = "0x1"
[ System registry hive HKEY_LOCAL_MACHINEHKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile ] "EnableFirewall" = "0x0"
[ System registry hive HKEY_LOCAL_MACHINEHKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile ] "DoNotAllowExceptions" = "0x0"
[ System registry hive HKEY_LOCAL_MACHINEHKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile ] "DisableNotifications" = "0x1"
[ System registry hive HKEY_CURRENT_USERHKCU\Software\Microsoft\Windows\CurrentVersion\Run ] "ctfmon.exe" = " Windows system directory (usually, C:\Windows\System32) %System%\ctfmon.exe"
Description:
Used to automatically run files when the Windows OS boots
[ System registry hive HKEY_CURRENT_USERHKCU\.exe ] "(default)" = "exefile"
[ System registry hive HKEY_CURRENT_USERHKCU\.exe ] "Content Type" = "application/x-msdownload"
[ System registry hive HKEY_CURRENT_USERHKCU\.exe\DefaultIcon ] "(default)" = "%1"
[
System registry hive HKEY_CURRENT_USERHKCU\.exe\shell\open\command ]
"(default)" = ""
Current user directory (usually, C:\Documents and Settings\
[ System registry hive HKEY_CURRENT_USERHKCU\.exe\shell\open\command ] "IsolatedCommand" = ""%1" %*"
[ System registry hive HKEY_CURRENT_USERHKCU\.exe\shell\runas\command ] "(default)" = ""%1" %*"
[ System registry hive HKEY_CURRENT_USERHKCU\.exe\shell\runas\command ] "IsolatedCommand" = ""%1" %*"
[ System registry hive HKEY_CURRENT_USERHKCU\exefile ] "(default)" = "Application"
[ System registry hive HKEY_CURRENT_USERHKCU\exefile ] "Content Type" = "application/x-msdownload"
[ System registry hive HKEY_CURRENT_USERHKCU\exefile\DefaultIcon ] "(default)" = "%1"
[
System registry hive HKEY_CURRENT_USERHKCU\exefile\shell\open\command ]
"(default)" = ""
Current user directory (usually, C:\Documents and Settings\
[ System registry hive HKEY_CURRENT_USERHKCU\exefile\shell\open\command ] "IsolatedCommand" = ""%1" %*"
[ System registry hive HKEY_CURRENT_USERHKCU\exefile\shell\runas\command ] "(default)" = ""%1" %*"
[ System registry hive HKEY_CURRENT_USERHKCU\exefile\shell\runas\command ] "IsolatedCommand" = ""%1" %*"
Deletes the following files on an infected computer:
-
Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\
\Local Settings\Temp) %Temp%\lol2.exe -
Current user directory (usually, C:\Documents and Settings\
) %UserDir%\Local Settings\Application Data\dqb.exe
Programs classified as Trojan-Downloader download and install new versions of malicious programs, including Trojans and AdWare, on victim computers. Once downloaded from the Internet, the programs are launched or included on a list of programs which will run automatically when the operating system boots up.
Information about the names and locations of the programs which are downloaded are in the Trojan code, or are downloaded by the Trojan from an Internet resource (usually a web page).
This type of malicious program is frequently used in the initial infection of visitors to websites which contain exploits.
Trojan-Downloader.
- Trojan-Downloader.
Win32. Small. btdi (Kaspersky Lab) - Mal/BredoZp-B (Sophos)
- Mal/Bredo-K (Sophos)
- Trojan.
Downloader-103788 (ClamAV) - Trj/Sasfis.
B (Panda) - W32/Bredolab.
HN (FPROT) - TrojanDownloader:
Win32/Chepvil. I (MS(OneCare)) - Trojan.
DownLoader2. 24313 (DrWeb) - Win32/TrojanDownloader.
Stohil. I trojan (Nod32) - Gen:
Variant. Kazy. 16789 (BitDef7) - Trojan-Downloader.
Win32. Small (Ikarus) - FakeAlert (AVG)
- Crypt.
AGSA (AVG) - TR/Dldr.
Chepvil. I (AVIRA) - United parcel service document.
exe <<< TR/Dldr. Chepvil. I (AVIRA) - Trojan.
Fakeav (NAV) - NseCheckFile2() returned 0x00010018 (Norman)
- Trojan.
Win32. Generic. 128227E0 (Rising)
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.