English

Log in

Search

The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service.

Internet threat level: 1

Follow us on

Home→Descriptions→Trojan-Downloader.Win32.Genome.ccpo

Trojan-Downloader.Win32.Genome.ccpo

Detected	Feb 28 2011 14:20 GMT
Released	Feb 28 2011 20:54 GMT
Published	May 17 2011 13:49 GMT

Manual description Auto description

This description was created by experts at Kaspersky Lab. It contains the most accurate information available about this program.

Technical Details
Payload
Removal instructions

Technical Details

This Trojan downloads files from the Internet and launches them without the user's knowledge. It is a Windows application (PE EXE file). It is 3072 bytes in size. It is written in C++.

Payload

Once launched, the Trojan performs the following actions:

It deletes the following file:
```
%Temp%\tmp.exe
```
It downloads a file from the Internet via the following link:
```
http://an***hub.net/file/1Vss-dados.exe
```
The downloaded file is saved in the current user's temporary files directory as
```
%Temp%\tmp.exe
```
At the time of writing, a file of 99 392 bytes in size was downloaded from the aforementioned link; MD5: 5DCE6708EDE86950EDFC8A418172A708, SHA1: 4741ADA513D866F182E78C31B6367244891500A3; detected by Kaspersky Anti-Virus as "Trojan.Win32.VBKrypt.brct".
It launches the previously downloaded file for execution. At the time of writing, the downloaded file did not demonstrate its payload and stopped running with an error, issuing the message:

Next, the Trojan ceases running.

Removal instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
Delete the following file:
```
%Temp%\tmp.exe
```
Empty the Temporary Internet Files folder, which may contain infected files (How to delete infected files from Temporary Internet Files folder?).
Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).

Summary

Trojan-Dropper. Hidden installation of other malicious programs in the system

Implements network activity

Technical details

File size of 3072 bytes.

Malicious activity

Creates the following files:

Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\tmp.exe (Kaspersky Anti-Virus detects as Trojan.Win32.VBKrypt.brct)

Launches files shown below for execution:

Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\tmp.exe (implements multiple launch)

Connects to to the following Internet addresses:

***.125.43.109:53505

Communicates with the following Internet addresses:

http://***hub.net/file/1Vss-dados.exe

Creates unique identifiers to flag its presence in the system

ZonesCounterMutex
ZonesCacheCounterMutex
ZonesLockedCacheCounterMutex
MSIdent Logon

Uses the masks shown below to search for files on the victim machine:

*.*

Other activities

Modifies the system registry keys:

[ System registry hive HKEY_CURRENT_USERHKCU\Identities ] "Identity Ordinal" = "0x2"

[ System registry hive HKEY_CURRENT_USERHKCU\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC ] "LDAP Server ID" = "0x0"

[ System registry hive HKEY_CURRENT_USERHKCU\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot ] "LDAP Server ID" = "0x1"

[ System registry hive HKEY_CURRENT_USERHKCU\Software\Microsoft\Internet Account Manager\Accounts\VeriSign ] "LDAP Server ID" = "0x2"

[ System registry hive HKEY_CURRENT_USERHKCU\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere ] "LDAP Server ID" = "0x3"

[ System registry hive HKEY_CURRENT_USERHKCU\Software\Microsoft\Internet Account Manager ] "Server ID" = "0x4"

[ System registry hive HKEY_CURRENT_USERHKCU\Software\Microsoft\Internet Account Manager\Accounts ] "PreConfigVer" = "0x4"

[ System registry hive HKEY_CURRENT_USERHKCU\Software\Microsoft\Internet Account Manager\Accounts ] "PreConfigVerNTDS" = "0x1"

[ System registry hive HKEY_CURRENT_USERHKCU\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC ] "Account Name" = "Active Directory"

[ System registry hive HKEY_CURRENT_USERHKCU\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC ] "LDAP Server" = "NULL"

[ System registry hive HKEY_CURRENT_USERHKCU\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC ] "LDAP Search Return" = "0x64"

[ System registry hive HKEY_CURRENT_USERHKCU\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC ] "LDAP Timeout" = "0x3C"

[ System registry hive HKEY_CURRENT_USERHKCU\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC ] "LDAP Authentication" = "0x2"

[ System registry hive HKEY_CURRENT_USERHKCU\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC ] "LDAP Simple Search" = "0x0"

[ System registry hive HKEY_CURRENT_USERHKCU\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC ] "LDAP Bind DN" = "0x0"

[ System registry hive HKEY_CURRENT_USERHKCU\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC ] "LDAP Port" = "0xCC4"

[ System registry hive HKEY_CURRENT_USERHKCU\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC ] "LDAP Resolve Flag" = "0x1"

[ System registry hive HKEY_CURRENT_USERHKCU\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC ] "LDAP Secure Connection" = "0x0"

[ System registry hive HKEY_CURRENT_USERHKCU\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC ] "LDAP User Name" = "NULL"

[ System registry hive HKEY_CURRENT_USERHKCU\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC ] "LDAP Search Base" = "NULL"

[ System registry hive HKEY_CURRENT_USERHKCU\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot ] "Account Name" = "Bigfoot Internet Directory Service"

Deletes the following parameters of the system registry keys:

[ System registry hive HKEY_CURRENT_USERHKCU\Identities ] "Changing" = ""

[ System registry hive HKEY_CURRENT_USERHKCU\Identities ] "IncomingID" = ""

[ System registry hive HKEY_CURRENT_USERHKCU\Identities ] "OutgoingID" = ""

Deletes the following files on an infected computer:

Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\tmp.exe

Print

Share

Malicious programs

Trojans

Trojan-Downloader

Programs classified as Trojan-Downloader download and install new versions of malicious programs, including Trojans and AdWare, on victim computers. Once downloaded from the Internet, the programs are launched or included on a list of programs which will run automatically when the operating system boots up.

Information about the names and locations of the programs which are downloaded are in the Trojan code, or are downloaded by the Trojan from an Internet resource (usually a web page).

This type of malicious program is frequently used in the initial infection of visitors to websites which contain exploits.

Other versions

Trojan-Downloader.Win32.Genome.abgk

Trojan-Downloader.Win32.Genome.abgl

Trojan-Downloader.Win32.Genome.abgm

Trojan-Downloader.Win32.Genome.abgp

Trojan-Downloader.Win32.Genome.asuc

Trojan-Downloader.Win32.Genome.asut

Trojan-Downloader.Win32.Genome.asvq

Trojan-Downloader.Win32.Genome.atab

Trojan-Downloader.Win32.Genome.baql

Trojan-Downloader.Win32.Genome.cfbv