|Detected||Jun 25 2011 20:01 GMT|
|Released||Jun 25 2011 22:50 GMT|
|Published||Sep 09 2011 16:26 GMT|
A trojan program that installs and launches other software on the infected computer without the user's knowledge. It is a Windows application (PE-EXE file). 231124 bytes. Written in C++.
After launching, the trojan searches for the launched process named:
Garss.exeIf this process has been launched, the trojan terminates its implementation. The trojan then retrieves the file saved in the temporary file directory under the following name from its body:
%Temp%\<rnd>_res.tmpwhere rnd is a random digital sequence. It then moves this file and saves it under the following name:
%Documents and Settings%\QQCRT.DLLThe file is 22154588 bytes and is detected by Kaspersky Antivirus as Trojan-GameThief.Win32.Magania.erpe. The trojan also moves the system file:
C: \Program Files\Garss.exeThen, using the command line, it launches the malicious library for execution:
C:\Program Files\Garss.exe "C:\Documents and Settings\QQCRT.DLL" MainTo start up the malicious library, the trojan modifies the "BITS" system service. The trojan therefore creates and launches a system registry file under the following name:
C:\1.regafter which the following information is added to the system registry:
[HKLM\System\CurrentControlSet\Services\BITS] "Type"=dword:00000020 "Start"=dword:00000002 "ErrorControl"=dword:00000001 "ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs" "DisplayName"="Background Intelligent Transfer Service (BITS)" "DependOnService"=hex(7):52,70,63,53,73,00,00 "DependOnGroup"=hex(7):00 "ObjectName"="LocalSystem" "Description"="Ensures the transfer of data between clients and severs in the background. If the BITS service is disabled, options such as Windows Update will not work properly." "FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,03,00,00,00,68,e3,0c,\ 00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00 [HKLM\System\CurrentControlSet\Services\BITS\Parameters] "ServiceDll"="%Documents and Settings%\QQCRT.DLL"After launching, the "1.reg" file is deleted. The trojan also searches for the following antivirus processes:
RsTray.exe 360tray.exeand runs active resistance to anti-virus applications in separate strings. The trojan may also copy its executable file under the following name:
C:\Program Files\QQ.EXEIt creates a file entitled:
C:\LoadLibrary.exewhich may also be moved by the trojan and saved under the following name:
%Documents and Settings%\%Current User%\Main menu\X.exeThe file is 36752 bytes. The trojan uses this file to launch the malicious library. It retrieves the following certificate from its body and installs this:
%WinDir%\Windows.cer – which is 590 bytes.After its implementation, the trojan deletes itself.
If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:
%Documents and Settings%\QQCRT.DLL
[HKLM\System\CurrentControlSet\Services\BITS\Parameters] "ServiceDll"="%Documents and Settings%\QQCRT.DLL"change to
[HKLM\System\CurrentControlSet\Services\BITS\Parameters] "ServiceDll" = "%SystemRoot%\System32\qmgr.dll"
C:\Program Files\QQ.EXE C:\LoadLibrary.exe %Documents and Settings%\%Current User%\Main menu\X.exe %WinDir%\Windows.cer
C: \Program Files\Garss.exeto
Trojan-Dropper programs are designed to secretly install malicious programs built into their code to victim computers.
This type of malicious program usually save a range of files to the victim’s drive (usually to the Windows directory, the Windows system directory, temporary directory etc.), and launches them without any notification (or with fake notification of an archive error, an outdated operating system version, etc.).
Such programs are used by hackers to: