Internet threat level: 1
Home→Descriptions→P2P-Worm.Win32.BlackControl.g
P2P-Worm.Win32.BlackControl.g
| Detected | Aug 18 2010 13:59 GMT |
| Released | Aug 18 2010 20:24 GMT |
| Published | Aug 20 2010 09:51 GMT |
Payload
Technical Details
The malicious program intercepts the user’s requests to various sites and redirects them to a malicious URL. It also contains a tool for sending phishing messages. It propagates via e-mail and peer-to-peer networks. It is a Windows PE EXE file. The file is ~300 KB in size. It is written in C++.
Installation
When launched, the Trojan copies its executable file to the Windows system folder:
%system%\HPWuSchdq.exe
It also extracts itself and creates an executable file on the hard drive which is also part of the malicious program:
%appdata%\SystemProc\lsass.exe
In order to ensure that the Trojan is launched automatically each time the system is restarted, the Trojan registers its executable files in the following system registry autorun keys:
"HP Software Updater v1.2"="%system%\HPWuSchdq.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"RTHDBPL"="%appdata%\SystemProc\lsass.exe"
The Trojan adds its executable file to the Windows firewall list of trusted applications.
FirewallPolicy\StandardProfile\Auth orizedApplications\List]
"%system%\HPWuSchdq.exe"="%system%\HPWuSchdq.exe:*:Enabled:Explorer"
The malicious program may also create the following system registry keys in which it stores its configuration data:
[HKÑU\Identities] "Curr version" "Inst Date" "Last Date" "Send Inst" "First Start" "Popup count" "Popup date" "Popup time" "KillSelf"
Payload
Once the malicious program has installed, it sends an "infection successful" message to the C&C server at the following address:
http://contr***.com/inst.php?aid=blackout
It requests the victim computer’s IP address from the following site to determine its location:
http://whatis***.com/automation/n09230945.asp
The malicious program then tracks the operation of the following browsers:
Internet Explorer Opera Google Chrome Mozilla Firefox
If the user visits a web page with a header containing any of the following words:
hotel travel antivirus antivir pocker poker video vocations design graphic
football footbal estate baseball books gifts money spyware credit loans dating
myspace virus verizon amazon iphone software mobile music craigslist sport
medical school wallpaper military weather twitter fashion spybot trading
tramadol flower cigarettes doctor flights airlines comcast
the program intercepts this request and redirects it to:
XQA9D8&sid=<rnd>&key=<keyword>
Where <rnd> is a generated number, and <keyword> is one of the above keywords.
The malicious program also tracks all search requests the user sends to any of the following search engines:
google yahoo live msn bing youtobe
The search request data is sent to the following URL:
http://tetro***.com/request.php?aid=blackout&ver=25
The malicious program harvests all e-mail addresses stored in the computer and sends the following message to them:
The link "visit our verification page" in this message takes the user to the fake phishing site http://barc***.ath.cx/LogIn.html which is controlled by the cybercriminal.
Once on this page, the user is prompted to enter their login data for a Barclays Bank online banking account.The malicious program terminates the processes of popular IT security products and antivirus tools, including:
- Kaspersky Anti-Virus
- Antivirus System Tray Tool
- Avira Internet Security
- AntiVir PersonalEdition Classic Service
- Rising Process Communication Center
It simultaneously deletes information about them from the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
It may block user requests to IT security vendors’ sites.
IT terminates the User Account Control service in Windows Vista/7:
"UACDisableNotify"=dword:00000001
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA"=dword:00000000
The malicious program also terminates the following services:
ERSvc - Error Reporting Service
wscsvc - Windows Security Center Service
It downloads an update from one of the following URLs:
http://posit***.com/update.php?sd=2010-04-27&aid=blackout
http://rts***.com/update.php?sd=2010-04-27&aid=blackout
http://qul***.com/update.php?sd=2010-04-27&aid=blackout
The new version of the malicious program is downloaded to the file C:\autoexec.exe and launched for execution. The file is then deleted.
At the time of writing this link was inactive.
Propagation
The malicious program propagates via e-mail messages by sending the following types of messages with the executable file attached under varying names.
The malicious program also propagates using peer-to-peer networks by copying itself to the following shared folders:
%ProgramFiles%\winmx\shared\ %ProgramFiles%\tesla\files\ %ProgramFiles%\limewire\shared\ %ProgramFiles%\morpheus\my shared folder\ %ProgramFiles%\emule\incoming\ %ProgramFiles%\edonkey2000\incoming\ %ProgramFiles%\bearshare\shared\ %ProgramFiles%\grokster\my grokster\ %ProgramFiles%\icq\shared folder\ %ProgramFiles%\kazaa lite k++\my shared folder\ %ProgramFiles%\kazaa lite\my shared folder\ %ProgramFiles%\kazaa\my shared folder\
Its copies may have any of the following names:
YouTubeGet 5.6.exe Youtube Music Downloader 1.3.exe WinRAR v3.x keygen [by HiXem].exe Windows2008 keygen and activator.exe [+ MrKey +] Windows XP PRO Corp SP3 valid-key generator.exe Windows Password Cracker + Elar3 key.exe [Eni0j0 team] Windows 7 Ultimate keygen.exe Windows 2008 Enterprise Server VMWare Virtual Machine.exe Winamp.Pro.v7.xx.PowerPack.Portable+installer.exe Website Hacker.exe [Eni0j0 team] Vmvare keygen.exe VmWare 7.x keygen.exe UT 2003 KeyGen.exe Twitter FriendAdder 2.3.9.exe Tuneup Ultilities 2010.exe [antihack tool] Trojan Killer v2.9.4173.exe Total Commander7 license+keygen.exe Super Utilities Pro 2009 11.0.exe Sub7 2.5.1 Private.exe Sophos antivirus updater bypass.exe sdbot with NetBIOS Spread.exe [fixed]RapidShare Killer AIO 2010.exe Rapidshare Auto Downloader 3.8.6.exe Power ISO v4.4 + keygen milon.exe [patched, serial not needed] PDF Unlocker v2.0.5.exePDF-XChange Pro.exe [patched, serial not needed] PDF to Word Converter 3.4.exe PDF password remover (works with all acrobat reader).exe Password Cracker.exe Norton Internet Security 2010 crack.exe Norton Anti-Virus 2010 Enterprise Crack.exe Norton Anti-Virus 2005 Enterprise Crack.exe NetBIOS Hacker.exe NetBIOS Cracker.exe [patched, serial not need] Nero 9.x keygen.exe Myspace theme collection.exe MSN Password Cracker.exe Mp3 Splitter and Joiner Pro v3.48.exe Motorola, nokia, ericsson mobil phone tools.exe Microsoft.Windows 7 ULTIMATE FINAL activator+keygen x86.exe Microsoft Visual Studio KeyGen.exe Microsoft Visual C++ KeyGen.exe Microsoft Visual Basic KeyGen.exe McAfee Total Protection 2010 [serial patch by AnalGin].exe Magic Video Converter 8.exe LimeWire Pro v4.18.3 [Cracked by AnalGin].exe L0pht 4.0 Windows Password Cracker.exe K-Lite Mega Codec v5.2 Portable.exe K-Lite Mega Codec v5.2.exe Keylogger unique builder.exe Kaspersky Internet Security 2010 keygen.exe Kaspersky AntiVirus 2010 crack.exe IP Nuker.exe Internet Download Manager V5.exe Image Size Reducer Pro v1.0.1.exe ICQ Hacker Trial version [brute].exe Hotmail Hacker [Brute method].exe Hotmail Cracker [Brute method].exe Half-Life 2 Downloader.exe Grand Theft Auto IV [Offline Activation + mouse patch].exe Google SketchUp 7.1 Pro.exe G-Force Platinum v3.7.6.exe FTP Cracker.exe DVD Tools Nero 10.x.x.x.exe Download Boost 2.0.exe Download Accelerator Plus v9.2.exe Divx Pro 7.x version Keymaker.exe DivX 5.x Pro KeyGen generator.exe DCOM Exploit archive.exe Daemon Tools Pro 4.8.exe Counter-Strike Serial key generator [Miona patch].exe CleanMyPC Registry Cleaner v6.02.exe Brutus FTP Cracker.exe Blaze DVD Player Pro v6.52.exe BitDefender AntiVirus 2010 Keygen.exe Avast 5.x Professional.exe Avast 4.x Professional.exe Ashampoo Snap 3.xx [Skarleot Group].exe AOL Password Cracker.exe AOL Instant Messenger (AIM) Hacker.exe AnyDVD HD v.6.3.1.8 Beta incl crack.exe Anti-Porn v13.x.x.x.exe Alcohol 120 v1.9.x.exe Adobe Photoshop CS4 crack by M0N5KI Hack Group.exe Adobe Illustrator CS4 crack.exe Adobe Acrobat Reader keygen.exe Ad-aware 2010.exe [patched, serial not needed] Absolute Video Converter 6.2-7.exe
P2P Worms spread via peer-to-peer file sharing networks (such as Kazaa, Grokster, EDonkey, FastTrack, Gnutella, etc.).
Most of these worms work in a relative simple way: in order to get onto a P2P network, all the worm has to do is copy itself to the file sharing directory, which is usually on a local machine. The P2P network does the rest: when a file search is conducted, it informs remote users of the file and provides services making it possible to download the file from the infected computer.
There are also more complex P2P-Worms that imitate the network protocol of a specific file sharing system and responds positively to search queries; a copy of the P2P-Worm is offered as a match.
P2P-Worm.
- Trojan:
Generic. dx!tlf (McAfee) - Troj/Agent-OKC (Sophos)
- Trojan.
VB-19624 (ClamAV) - W32/Dursg.
A. worm (Panda) - VirTool:
Win32/VBInject. gen!FA (MS(OneCare)) - Trojan.
AVKill. 2186 (DrWeb) - Win32/Injector.
CTX trojan (Nod32) - Dropped:
Worm. Generic. 268476 (BitDef7) - Worm.
Generic. 268476 (BitDef7) - Worm.
P2P. BlackControl!1tXZHSHm/JE (VirusBuster) - Win32:
Inject-AAI [Trj] (AVAST) - P2P-Worm.
Win32. BlackControl (Ikarus) - Dropper.
Generic2. ANYO (AVG) - <<< WORM/BlackControl.
G (AVIRA) - WORM/BlackControl.
G (AVIRA) - W32.
Ackantta@mm (NAV) - W32/Suspicious_Gen2.
CCUKO (Norman) - Trojan.
Win32. Generic. 5228D228 (Rising) - P2P-Worm.
Win32. BlackControl. g [AVP] (FSecure) - WORM_PROLACO.
KAI (TrendMicro) - Trojan.
Win32. Generic!BT (Sunbelt) - Worm.
P2P. BlackControl!1tXZHSHm/JE (VirusBusterBeta)
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.