English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Trojan.Win32.Jorik.Buterat.dp

Detected Jul 22 2011 05:48 GMT
Released Jul 22 2011 07:27 GMT
Published Sep 20 2011 08:47 GMT

Technical Details
Payload
Removal instructions

Technical Details

A trojan program that carries out destructive actions on the user's computer. It is a Windows application (PE-EXE file). 56832 bytes. Packed by an unknown packer. Unpacked size – around 53 kB. Written in C++.

Installation

Depending on the launch parameters, the trojan copies its body to the following file:

%APPDATA%\netprotocol.exe
or creates a copy in the Windows system directory:
%System%\netprotocol.exe
A system registry key is created to automatically launch the created copy each time the system is started:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Netprotocol" = "%APPDATA%\netprotocol.exe"
If this key is not created, the trojan creates the following key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Netprotocol" = "%APPDATA%\netprotocol.exe"
If the file was copied to the Windows system directory, the following key is created:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Netprotocol"="%System%\netprotocol.exe"
The trojan then launches the created copy for execution.


Payload

After launching, the trojan contacts the following servers to receive commands for further action:


http://dia***sp.in
http://los***ph.com
http://kas***seuk.com
http://krex***amdx.com
It then goes into a loop, waiting for commands.

On the attacker's command, the trojan may update its executable file, loading the update from the attacker's server. It may also download the file saved in the trojan's working directory as:

%WorkDir%\netprotdrvss
After successfully downloading the file, it is then launched for execution. Requests to the attacker's server may take the following forms:
  1. A request to notify the attacker of the successful installation of the trojan on the user's computer:
    <serverName>/nconfirm.php?rev=350&code=11m=2&num=<uniqueNum>
    
  2. A request to receive a command for further action by the trojan:
    <server>/njob.php?num=<number>&rev=350
  3. A request to download the file "netprotdrvss":
    <server>/nconfirm.php?rev=350&code=11m=2&num=<uniqueNum>

Where <serverName> is one of the above mentioned attacker's servers; <uniqueNum> is the unique number depending on the network equipment of the user's computer, for example "40401870851072".

To carry on working, the trojan creates a configuration file which is located at the following path:

%WorkDir%\System.log
The trojan may receive the following commands from the attacker's server:
<ZORKASITE>
<BEGUNFEED>
<REKLOSOFT>
<TEASERNET>
<SUPERPOISK>
<DIRECTST>
<LIVINETCH>
<PARKING>
<UPDATE>
<DOWNRUN>
<PRIORITYHOST>
<SETSTPAGE>
<COOKREJCT>
<DESTROY>
Depending on the command received, it may carry out the following actions:
  • "Cheat" the site visit statistics - send search requests and links to resources where the rating needs to be increased from the attacker's server.
  • Replace search results;
  • Change the default home page and search system for the following browsers:
    Internet Explorer
    Opera
    Mozilla Firefox
    

The trojan therefore carries out the following actions:

  1. it modifies the parameter values for the following system registry keys:
    [HKCU\Software\Microsoft\Internet Explorer\Main]
    "Start Page" = "http://w***olta.ru"
    
    [HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3B}]
    "DisplayName"="Webvolta"
    "URL"="http://we***lta.ru/search.php?q={searchTerms}"
    
  2. it creates a file in the Windows system directory:
    %System%\operaprefs_fixed.ini
    this file contains the following strings:
    [User Prefs]
    Startup Type=2
    Home URL= http://we***lta.ru
    
  3. it modifies the following file:
    %APPDATA%\Mozilla\Firefox\Profiles\<user profile directory>.default\user.js
    
    It records the following strings to the file:
    user_pref("dom.disable_window_status_change", false);
    user_pref("startup.homepage_override_url", "http://webvolta.ru");
    user_pref("browser.startup.page", 1);
    user_pref("browser.startup.homepage", "http://webvolta.ru");
    user_pref("browser.search.selectedEngine", "Webvolta");
    
  4. it creates a file at the following pathway:
    %APPDATA%\Mozilla\Firefox\Profiles\<user profile directory>.default\searchplugins\webvolta.xml
    

The file contains the following strings:
<SearchPlugin xmlns="http://www.mozilla.org/2006/browser/search/">
<ShortName>Webvolta</ShortName>
<Description>Webvolta search.</Description>
<InputEncoding>windows-1251</InputEncoding>
<Url type="text/html" method="GET" template="http://web***ta.ru/search.php?">
<Param name="q" value="{searchTerms}"/>
</Url>
</SearchPlugin>
  • Embeds Java Script code designed to show adverts for the following resource on the pages visited by the user:
    http://be***n.ru
  • Changes the name of the attacker's server to which the trojan is directed;
  • Clears the contents of the system registry branch:
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History]
    
    the trojan therefore resets the permit or blocks the "cookie" for the websites;
  • When the user uses the browser, it redirects the user to the resources indicated by the attacker;
  • It creates the following system registry keys:
    [HKLM\Software\Microsoft\Netprotocol]
    "UniqueNum" = "<uniqueNum>"
    
    [HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current]
    "(Default)" = ""
    
    [HKLM\Software\Classes\MIME\Database\Content Type\application/x-javascript]
    "CLSID"="{25336920-03F9-11cf-8FD0-00AA00686F13}"
    
    [HKLM\Software\Classes\MIME\Database\Content Type\text/javascript]
    "CLSID"="{25336920-03F9-11cf-8FD0-00AA00686F13}"
    


    Removal instructions

    If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:

    1. Restart the computer in "safe mode" (when starting up, press F8, then select "Safe Mode" from the Windows start menu).
    2. Delete the system registry keys (how to work with the registry?):
      [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
      "Netprotocol" = "%APPDATA%\netprotocol.exe"
      
      [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
      "Netprotocol" = "%APPDATA%\netprotocol.exe"
      
      [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
      "Netprotocol"="%System%\netprotocol.exe"
      
      [HKLM\Software\Microsoft\Netprotocol]
      "UniqueNum" = "<uniqueNum>"
      
      [HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current]
      "(Default)" = ""
      
      [HKLM\Software\Classes\MIME\Database\Content Type\application/x-javascript]
      "CLSID"="{25336920-03F9-11cf-8FD0-00AA00686F13}"
      
      [HKLM\Software\Classes\MIME\Database\Content Type\text/javascript]
      "CLSID"="{25336920-03F9-11cf-8FD0-00AA00686F13}"
      
    3. Restore the original system registry parameters (how to work with the registry?):
      [HKCU\Software\Microsoft\Internet Explorer\Main]
      "Start Page"
      
      [HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3B}]
      "DisplayName"
      "URL"=
      
    4. Delete the following files:
      %APPDATA%\netprotocol.exe
      %System%\netprotocol.exe
      %WorkDir%\netprotdrvss
      %WorkDir%\System.log
      %System%\operaprefs_fixed.ini
      %APPDATA%\Mozilla\Firefox\Profiles\<user profile directory>.default\user.js
      %APPDATA%\Mozilla\Firefox\Profiles\<user profile directory>.default\searchplugins\webvolta.xml
      
    5. Delete the original trojan file (its location on the infected computer will depend on how the program got onto the computer).
    6. Clear the Temporary Internet Files directory containing the infected files (How to delete infected files in the Temporary Internet Files folder?):
      %Temporary Internet Files%
    7. Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).


    md5: 6AFB00FE492DB4893D746263FA9BE9F7
    sha1: 35176CB60F9D476B4FEC5DD959200CFD80FF98A7


  • Bookmark and Share
    Share
    Trojan

    This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.

    This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.