Trojan-Downloader.Win32.VB.bnp

Technical Details

This malicious program is a Trojan. It is a Windows PE EXE file. It is 117248 bytes in size. It is packed using UPX. The unpacked file is approximately 280KB in size. This Trojan is written in Visual Basic.

Installation

Once launched, the Trojan creates a folder called "DETER177" in the Windows system directory. It copies its body under the names "lsass.exe", "smss.exe" and "svchost.exe" to this directory:

It then modifies the attributes ascribed to the folder and to the dropped files to "hidden" and "system".

The Trojan also copies its body to the Windows system directory as"ctfmon" and "AHTOMSYS919.exe":

Some of the letters in the file names use Russian encoding.

In order to ensure that the Trojan is launched automatically each time the system is booted, the Trojan adds a link to its executable file to the system registry:

In order to trick the user, the Trojan file uses a standard Windows folder icon.

Payload

The Trojan ensures that hidden files cannot be shown by Explorer.exe by modifying the following system registry key parameters:

The Trojan also ensures that file extensions cannot be shown by Explorer.exe by setting the following system registry key parameters:

In order to prevent these parameters from being reverted, the Trojan disables "Folder Options" in Explorer.exe by setting the following system registry key parameter:

The Trojan then creates a hidden folder called "psador18.dll" in the Windows system directory:

The file contains the following email addresses:

The Trojan also extracts a rootkit called "psagor18.sys" from its body. This file will be placed in the Trojan's working directory. This rootkit includes functions which will hide the presence of the "psador18.dll" and "AHTOMSYS19.exe" files. It also gives the Trojan the highest system privileges, making it impossible to delete the Trojan file or terminate Trojan processes.

When the system is shut down, this file will be deleted, but will be recreated when the system is rebooted.

The Trojan tracks the appearance of windows with the following titles:

If the Trojan detects such windows, they will be automatically closed.

The Trojan also looks for flash devices. If it detects any such devices, the Trojan will copy its body as "CDburn.exe", and create a file called "autorun.inf" which contains a link to the Trojan's body. This ensures that the Trojan file will be automatically launched each time the device is connected.

The Trojan also harvests email addresses from the victim machine and sends an email message to them. The email has an empty subject line, and the following contents:

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Reboot the computer in Safe Mode (at the start of the boot sequence, press and hold F8, then choose Safe Mode from the Windows boot menu).
2. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
3. Delete all files created by the Trojan:
   %System%\DETER177\lsass.exe
   %System%\DETER177\smss.exe
   %System%\DETER177\svñhîst.exe
   %System%\ctfmon.exe
   %System%\ÀHTÎMSYS19.exe
   %System%\ðsàdîr18.dll
4. Delete the following system registrykeys:
   [HKLM\Software\Microsoft\CurrentVersion\Run]
   "ctfmon" = "%System%\ctfmon.exe"
   "lsass" = "%System%\DETER177\lsass.exe"
5. Reboot the computer and start Windows normally.
6. Revert the following system registrykeys:
   [HKLM\Software\Microsoft\CurrentVersion\Winlogon]
   "Shell" = "Explorer.exe %System%\ÀHTÎMSYS19.exe"

   to

   [HKLM\Software\Microsoft\CurrentVersion\Winlogon]
   "Shell" = "Explorer.exe"
   
   
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   "Hidden" = "0"
   "ShowSuperHidden" = "0"
   "HideFileExt" = "1"

   to

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   "Hidden" = ""
   "ShowSuperHidden" = ""
   "HideFileExt" = ""
   
   
   [HKLM\Software\Microsoft\Windows\CurrentVersion\policies\explorer]
   "NoFolderOptions" = "1"

   to

   [HKLM\Software\Microsoft\Windows\CurrentVersion\policies\explorer]
   "NoFolderOptions" = ""
7. Check all flash drives which have been connected to the victim machine for the presence of the following files in the root directory:
   CDburn.exe
   autorun.inf
8. If such files are found, delete them.
9. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).