Počet zobrazení stránky

sobota 10. března 2012

Trojan-Ransom.Win32.DigiPog.xp


Technical Details

This Trojan disables a machine in order to obtain a ransom for restoring the system to its original condition. It is a Windows application (PE EXE file). It is 151 040 bytes in size. It is written in C++.

Installation

Once launched, the Trojan performs the following actions:
  • It attempts to unload the following processes from the system memory:
    Tmas.exe
ekrn.exe
gcasServ.exe
msscli.exe
avp.exe
dwengine.exe
avastsvc.exe
avguard.exe
winroute.exe
zlclient.exe
op_mon.exe
  • It stops the "SharedAccess" service.
  • It attempts to call the "__register_frame_info" and "_Jv_RegisterClasses" functions from the following libraries, respectively:
    %WorkDir%\libgcc_s_dw2-1.dll
%WorkDir%\libgcj_s.dll
  • It creates the following file to flag its presence in the system:
    %USERPROFILE%\Application Data\efhhcwck.ddr (1598 bytes)
    It also creates the following system registry key:
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform]
"0X29A"
  • It copies itself to the following file:
    %USERPROFILE%\Application Data\efhhcwck.exe
  • To ensure that the copy created is launched automatically each time the system is rebooted, the following system registry keys are created:
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"PC Health Status" = "%USERPROFILE%\Application Data\efhhcwck.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"PC Health Status" = "%USERPROFILE%\Application Data\efhhcwck.exe"
    It also creates the shortcut:
    %USERPROFILE%\Start Menu\Programs\Startup\healm_jamc.lnk
    This shortcut points to the created copy.
  • It launches the copy created for execution. This copy is launched twice: initially it is launched without any parameters, and the second time it is launched with the "DNNL" parameter. There always will be two copies of the "efhhcwck.exe" process launched in the system. If one of the processes ceases running, it will be relaunched by the second process.
  • During installation the Trojan displays the following windows:
  • In addition, the Trojan sends to the malicious user's server:
    188.***.168
    the following HTTP requests:
    HTTP/1.0
GET
/_req/?type=e&sid=2&sw=00000000000000000&ostype=2&ossp=2&osbits=0&osfwtype=2&osrights=255
/_req/?type=m&sid=2&sw=00000000000000000

    Payload

    Once launched, the Trojan performs the following actions:
    1. It deletes its original file by reading the path from the following file:
      %USERPROFILE%\Application Data\efhhcwck.ddr
    2. To ensure that its process is unique within the system, it creates a unique identifier:
      Global\dobeDNNLjpgo
    3. It creates the following system registry keys:
      [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoLogoff" = "1"
      Thereby it stops the Task Manager from launching, and hides the "Shut down" sub-menu in the Start menu.
    4. It blocks Internet Explorer's access to the Internet by changing its proxy server settings:
      [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
"ProxyEnable" = "1"
"ProxyServer" = "http=127.0.0.1:41653;"
      At the same time, it deletes the following keys:
      [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
      These keys are created and deleted in an endless cycle.
    5. When the user runs other browsers, the Trojan blocks the following sites:
      www.drweb.com/unlocker
www.esetnod32.ru/.support/winlock
http://virusinfo.info/deblocker
http://support.kaspersky.ru/viruses/deblocker
    6. It terminates the following processes in an endless cycle:
      far.exe
msconfig.exe
taskmgr.exe
taskkill.exe
avz.exe
regedit.exe
procmon.exe
    7. It displays the following window over the top of all open windows in the lower right corner of the screen:
    8. It sends to the malicious user's server
      188.***.168
      the following request:
      HTTP/1.0
GET
_req/?type=s&sid=2&sw=00000000000000001&ostype=2&ossp=2&osbits=0&osfwtype=2&osrights=255

    Removal instructions

    If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
    1. Reboot the computer in Safe Mode (at the start of the boot sequence, press and hold F8, then choose Safe Mode from the Windows boot menu).
    2. Delete the following files:
      %USERPROFILE%\Application Data\efhhcwck.ddr 
%USERPROFILE%\Application Data\efhhcwck.exe
%USERPROFILE%\Start Menu\Programs\Startup\healm_jamc.lnk
    3. Delete the following system registry keys (see What is a system registry and how do I use it?):
      [HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform]
"0X29A"

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"PC Health Status" = "%USERPROFILE%\Application Data\efhhcwck.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"PC Health Status" = "%USERPROFILE%\Application Data\efhhcwck.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoLogoff" = "1"
    4. Restore the original system registry key value (What is a system registry and how do I use it?):
      [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy"
"ProxyEnable"
"ProxyServer"
"ProxyOverride"
"AutoConfigURL"
Vystavil v
Štítky:

Žádné komentáře:

Okomentovat

Přihlásit se k odběru: Komentáře k příspěvku (Atom)