|Detected||Oct 15 2007 09:14 GMT|
|Released||Oct 15 2007 09:14 GMT|
|Published||May 15 2008 15:47 GMT|
This malicious program is a Trojan. It is a Windows PE EXE file. It is 117248 bytes in size. It is packed using UPX. The unpacked file is approximately 280KB in size. This Trojan is written in Visual Basic.
Once launched, the Trojan creates a folder called "DETER177" in the Windows system directory. It copies its body under the names "lsass.exe", "smss.exe" and "svchost.exe" to this directory:
It then modifies the attributes ascribed to the folder and to the dropped files to "hidden" and "system".
The Trojan also copies its body to the Windows system directory as"ctfmon" and "AHTOMSYS919.exe":
Some of the letters in the file names use Russian encoding.
In order to ensure that the Trojan is launched automatically each time the system is booted, the Trojan adds a link to its executable file to the system registry:
In order to trick the user, the Trojan file uses a standard Windows folder icon.
The Trojan ensures that hidden files cannot be shown by Explorer.exe by modifying the following system registry key parameters:
The Trojan also ensures that file extensions cannot be shown by Explorer.exe by setting the following system registry key parameters:
In order to prevent these parameters from being reverted, the Trojan disables "Folder Options" in Explorer.exe by setting the following system registry key parameter:
The Trojan then creates a hidden folder called "psador18.dll" in the Windows system directory:
The file contains the following email addresses:
The Trojan also extracts a rootkit called "psagor18.sys" from its body. This file will be placed in the Trojan's working directory. This rootkit includes functions which will hide the presence of the "psador18.dll" and "AHTOMSYS19.exe" files. It also gives the Trojan the highest system privileges, making it impossible to delete the Trojan file or terminate Trojan processes.
When the system is shut down, this file will be deleted, but will be recreated when the system is rebooted.
The Trojan tracks the appearance of windows with the following titles:
If the Trojan detects such windows, they will be automatically closed.
The Trojan also looks for flash devices. If it detects any such devices, the Trojan will copy its body as "CDburn.exe", and create a file called "autorun.inf" which contains a link to the Trojan's body. This ensures that the Trojan file will be automatically launched each time the device is connected.
The Trojan also harvests email addresses from the victim machine and sends an email message to them. The email has an empty subject line, and the following contents:
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
Programs classified as Trojan-Downloader download and install new versions of malicious programs, including Trojans and AdWare, on victim computers. Once downloaded from the Internet, the programs are launched or included on a list of programs which will run automatically when the operating system boots up.
Information about the names and locations of the programs which are downloaded are in the Trojan code, or are downloaded by the Trojan from an Internet resource (usually a web page).
This type of malicious program is frequently used in the initial infection of visitors to websites which contain exploits.