English

The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service.

Internet threat level: 1

Watch us on

Home→Descriptions→Trojan.Win32.Jorik.Buterat.dp

Trojan.Win32.Jorik.Buterat.dp

Detected	Jul 22 2011 05:48 GMT
Released	Jul 22 2011 07:27 GMT
Published	Sep 20 2011 08:47 GMT

Technical Details
Payload
Removal instructions

Technical Details

A trojan program that carries out destructive actions on the user's computer. It is a Windows application (PE-EXE file). 56832 bytes. Packed by an unknown packer. Unpacked size – around 53 kB. Written in C++.

Installation

Depending on the launch parameters, the trojan copies its body to the following file:

%APPDATA%\netprotocol.exe

or creates a copy in the Windows system directory:

%System%\netprotocol.exe

A system registry key is created to automatically launch the created copy each time the system is started:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Netprotocol" = "%APPDATA%\netprotocol.exe"

If this key is not created, the trojan creates the following key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Netprotocol" = "%APPDATA%\netprotocol.exe"

If the file was copied to the Windows system directory, the following key is created:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Netprotocol"="%System%\netprotocol.exe"

The trojan then launches the created copy for execution.

Payload

After launching, the trojan contacts the following servers to receive commands for further action:


http://dia***sp.in
http://los***ph.com
http://kas***seuk.com
http://krex***amdx.com

It then goes into a loop, waiting for commands.

On the attacker's command, the trojan may update its executable file, loading the update from the attacker's server. It may also download the file saved in the trojan's working directory as:

%WorkDir%\netprotdrvss

After successfully downloading the file, it is then launched for execution. Requests to the attacker's server may take the following forms:

A request to notify the attacker of the successful installation of the trojan on the user's computer:
```
<serverName>/nconfirm.php?rev=350&code=11m=2&num=<uniqueNum>
```
A request to receive a command for further action by the trojan:
```
<server>/njob.php?num=<number>&rev=350
```

A request to download the file "netprotdrvss":

<server>/nconfirm.php?rev=350&code=11m=2&num=<uniqueNum>

Where <serverName> is one of the above mentioned attacker's servers; <uniqueNum> is the unique number depending on the network equipment of the user's computer, for example "40401870851072".

To carry on working, the trojan creates a configuration file which is located at the following path:

%WorkDir%\System.log

The trojan may receive the following commands from the attacker's server:

<ZORKASITE>
<BEGUNFEED>
<REKLOSOFT>
<TEASERNET>
<SUPERPOISK>
<DIRECTST>
<LIVINETCH>
<PARKING>
<UPDATE>
<DOWNRUN>
<PRIORITYHOST>
<SETSTPAGE>
<COOKREJCT>
<DESTROY>

Depending on the command received, it may carry out the following actions:

"Cheat" the site visit statistics - send search requests and links to resources where the rating needs to be increased from the attacker's server.
Replace search results;
Change the default home page and search system for the following browsers:
```
Internet Explorer
Opera
Mozilla Firefox
```

The trojan therefore carries out the following actions:

it modifies the parameter values for the following system registry keys:

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://w***olta.ru"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3B}]
"DisplayName"="Webvolta"
"URL"="http://we***lta.ru/search.php?q={searchTerms}"

it creates a file in the Windows system directory:
```
%System%\operaprefs_fixed.ini
```
this file contains the following strings:
```
[User Prefs]
Startup Type=2
Home URL= http://we***lta.ru
```

it modifies the following file:

%APPDATA%\Mozilla\Firefox\Profiles\<user profile directory>.default\user.js

It records the following strings to the file:

user_pref("dom.disable_window_status_change", false);
user_pref("startup.homepage_override_url", "http://webvolta.ru");
user_pref("browser.startup.page", 1);
user_pref("browser.startup.homepage", "http://webvolta.ru");
user_pref("browser.search.selectedEngine", "Webvolta");

it creates a file at the following pathway:

%APPDATA%\Mozilla\Firefox\Profiles\<user profile directory>.default\searchplugins\webvolta.xml

The file contains the following strings:

<SearchPlugin xmlns="http://www.mozilla.org/2006/browser/search/">
<ShortName>Webvolta</ShortName>
<Description>Webvolta search.</Description>
<InputEncoding>windows-1251</InputEncoding>
<Url type="text/html" method="GET" template="http://web***ta.ru/search.php?">
<Param name="q" value="{searchTerms}"/>
</Url>
</SearchPlugin>

Embeds Java Script code designed to show adverts for the following resource on the pages visited by the user:

http://be***n.ru

Changes the name of the attacker's server to which the trojan is directed;

Clears the contents of the system registry branch:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History]

the trojan therefore resets the permit or blocks the "cookie" for the websites;

When the user uses the browser, it redirects the user to the resources indicated by the attacker;

It creates the following system registry keys:

[HKLM\Software\Microsoft\Netprotocol]
"UniqueNum" = "<uniqueNum>"

[HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current]
"(Default)" = ""

[HKLM\Software\Classes\MIME\Database\Content Type\application/x-javascript]
"CLSID"="{25336920-03F9-11cf-8FD0-00AA00686F13}"

[HKLM\Software\Classes\MIME\Database\Content Type\text/javascript]
"CLSID"="{25336920-03F9-11cf-8FD0-00AA00686F13}"

Removal instructions

If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:

Restart the computer in "safe mode" (when starting up, press F8, then select "Safe Mode" from the Windows start menu).

Delete the system registry keys (how to work with the registry?):

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Netprotocol" = "%APPDATA%\netprotocol.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Netprotocol" = "%APPDATA%\netprotocol.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Netprotocol"="%System%\netprotocol.exe"

[HKLM\Software\Microsoft\Netprotocol]
"UniqueNum" = "<uniqueNum>"

[HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current]
"(Default)" = ""

[HKLM\Software\Classes\MIME\Database\Content Type\application/x-javascript]
"CLSID"="{25336920-03F9-11cf-8FD0-00AA00686F13}"

[HKLM\Software\Classes\MIME\Database\Content Type\text/javascript]
"CLSID"="{25336920-03F9-11cf-8FD0-00AA00686F13}"

Restore the original system registry parameters (how to work with the registry?):

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3B}]
"DisplayName"
"URL"=

Delete the following files:

%APPDATA%\netprotocol.exe
%System%\netprotocol.exe
%WorkDir%\netprotdrvss
%WorkDir%\System.log
%System%\operaprefs_fixed.ini
%APPDATA%\Mozilla\Firefox\Profiles\<user profile directory>.default\user.js
%APPDATA%\Mozilla\Firefox\Profiles\<user profile directory>.default\searchplugins\webvolta.xml

Delete the original trojan file (its location on the infected computer will depend on how the program got onto the computer).
Clear the Temporary Internet Files directory containing the infected files (How to delete infected files in the Temporary Internet Files folder?):
```
%Temporary Internet Files%
```
Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).

md5: 6AFB00FE492DB4893D746263FA9BE9F7
sha1: 35176CB60F9D476B4FEC5DD959200CFD80FF98A7

Malicious programs

Trojans

Trojan

This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.

This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.

© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.

kaspersky.com

securelist.com