Android.Tigerbot

Type:

Trojan

Infection Length:

220,015 bytes

Android.Tigerbot is a Trojan horse for Android devices that opens a back door on the compromised device.

Android package file The Trojan may arrive as a package with the following name:

APK: com.google.android.lifestyle
Version: 1.4.1
Name: com.google.android.lifestyle.apk
Icon: The Trojan does not create an application icon. However, it may appear in Manage Applications as an application named System.

Android package file The Trojan may arrive as a package with the following name:

APK: com.google.android.lifestyle
Version: 1.4.1
Name: com.google.android.lifestyle.apk
Icon: The Trojan does not create an application icon. However, it may appear in Manage Applications as an application named System.




Permissions
When the Trojan is being installed, it requests permissions to perform the following actions:

• Check the phone's current state.
• Change the phone state, such as powering it on and off.
• Initiate a phone call without using the Phone UI or requiring confirmation from the user.
• Monitor, modify, or end outgoing calls.
• Use the device's mic to record audio.
• Access the camera
• Modify global audio settings.
• Read user's contacts data.
• Create new contact data.
• Start once the device has finished booting.
• Send, monitor, read, and create new SMS messages.
• Open network connections.
• Access location information, such as Cell-ID or WiFi.
• Access location information, such as GPS information.
• Allows an application to update device statistics.
• Prevent processor from sleeping or screen from dimming.
• Allow access to low-level power management.
• Read or write to the system settings.
• Allows applications to disable the keyguard.
• Write to external storage devices.
• Allow access to low-level system logs.
• End background processes.
• Access information about networks.
• Allows applications to write the APN settings.
• Connect to paired Bluetooth devices.

Remote access
The Trojan then opens a back door on the compromised device and listens for specially crafted SMS messages, allowing an attacker to perform the following actions:

• Change network settings
• Stop and start processes and services
• Send the contact list to a remove location
• Reboot the compromised device
• Record incoming and outgoing call numbers
• Deactivate software
• Take screenshots

Android.Dougalek

Type:

Trojan

Infection Length:

Between 18,646 and 18,679 bytes

Android.Dougalek is a Trojan horse for Android devices that steals information from the compromised device. The threat is typically disguised to display a video. 

Permissions
When the Trojan is being installed, it requests permissions:

• Open network connections.
• Check the phone's current state.
• Read user's contacts data. 

Functionality The Trojan steals the Contacts information from the compromised device and uploads it to the following location:
[http://]depot.bulks.jp/get[TWO RANDOM NUMBERS].php

It also attempts to download a video from the following URL and display it:
[http://]depot.bulks.jp/movie/movie[TWO RANDOM NUMBERS].mp4

Trojan-Dropper.Win32.Agent.aiad

Technical Details

This Trojan installs other programs to the victim machine without the knowledge or consent of the user. It is a Windows application (PE EXE file). It is 33 400 bytes in size. It is packed using UPX. The unpacked file is approximately 73 KB in size. It is written in Delphi.

Payload

Once launched, the Trojan performs the following actions:

• It deletes the following file:

  %Program Files%\Internet Explorer\JavaNe64.Bet

• It copies its body to a file:

  %Program Files%\Internet Explorer\JavaNe64.Bet

  The first 2 bytes of the file are replaced with

  4B 4F

• It extracts a file from its body and saves it under the following name:

  %Program Files%\Internet Explorer\BoboChen.jsp

  (50 296 bytes; detected by Kaspersky Anti-Virus as "Worm.Win32.AutoRun.aazu") The file is created with the "hidden" and "system" attributes.
  The extracted library contains functionality that enables the malicious user to hijack accounts of the Chinese Tencent QQ instant messaging service.
• It launches its original file with the "Z" parameter. In addition to the above-mentioned actions, it creates in the system a window called "Jsxtxut" (window class: "Button"). Messages sent to the created window are processed using the "MgHookOp" and "MgHookCs" functions from the previously extracted library.

Removal instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

1. Use Task Manager to terminate the Trojan process.
2. Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
3. Delete the following files:

   %Program Files%\Internet Explorer\JavaNe64.Bet
   %Program Files%\Internet Explorer\BoboChen.jsp 

Trojan-GameThief.Win32.Magania.dbtv

Technical Details

This Trojan belongs to the family of Trojans that steals passwords from online gaming user accounts. It is a Windows application (PE EXE file). The file is 126 464 bytes in size. It is packed using ASPack. The unpacked file is approximately 516 KB in size. It is written in C++.

Installation

Once launched, the Trojan copies its original body to the current user's temporary files directory under the following name:

%Temp%\herss.exe

It assigns "Hidden", "Read Only", and "System" attributes to this file. In order to ensure that the Trojan is launched automatically each time the system is restarted, the Trojan registers its executable file in the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"cdoosoft"="%Temp%\herss.exe"

Payload

Once launched, the Trojan increases its privileges to gain access to other processes. Subject to the presence of a launched "AVP.exe" process, the Trojan extracts a malicious driver from its body, under various names. If "AVP.exe" is not found, it saves the driver under the name:

%System%\drivers\klif.sys

The file is 3840 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan.Win32.Zapchast.ccf.

If the "AVP.exe" antivirus process is detected, the Trojan rewrites the system driver for Microsoft CD-ROM audio filter:

%System%\drivers\cdaudio.sys

It creates the service called "KAVsys" and uses it to launch the malicious driver. After launching the driver, the Trojan deletes the following registry key:

[HKLM\System\CurrentControlSet\Services\KAVsys]

and also deletes the file itself:

%System%\drivers\klif.sys

or:

%System%\drivers\cdaudio.sys

It searches for a process with the name "livesrv.exe" (BitDefender Security Update Service). After detecting a launched "livesrv.exe" process, the Trojan finds the location of the executable file and moves from this directory to the root directory of the logical C drive all executable files ("exe") and library files ("dll") with their original names, adding the new "vcd" extension, for example:

C:\livesrv.exe.vcd

It finds and opens Explorer:

%WinDir%\explorer.exe

If the original Trojan file is not located in the local drive's root directory, the malware ceases running. In other cases the Trojan uses Explorer to open the root directory of the local disk where its executable file is located. In order to ensure that its process is unique in the system, the Trojan creates unique identifiers called "Game_start", "DALXBHDFGERTONGOJK_POP", "MN_XADLEBCBAXCSDFGEWQCDDD0", and "KJLDSOIUBGDSEROPOFGSFSIKDQ_MN". The Trojan then extracts a malicious library from its body and saves it under the following name:

%Temp%\cvasds<rnd>.dll

where rnd is a decimal number.

The file is 86 016 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.Magania.dbtv.

It assigns "Hidden", "Read Only", and "System" attributes to this file. In a separate stream, 72 000 times per cycle the Trojan searches for Kaspersky Anti-Virus windows with the class names "AVP.AlertDialog" and "AVP.Product_Notification". The Trojan closes the window with the class name "AVP.AlertDialog" by simulating a mouse click on the dialog window. It closes the window with the class name "AVP.Product_Notification" by sending a close message to this window. It searches for the process:

RavMon.exe

When this process is found in all streams, it searches for windows with the class name "#32770" and attempts to close them. It injects its malicious code into the address space of the process "explorer.exe". This launches for execution the malicious library "cvasds<rnd>.dll". The Trojan's library is injected into all launched applications. The Trojan uses this library to perform the following actions:

• It determines the language installed in the system by reading the value of the "InstallLanguage" registry key parameter:

  [HKLM\System\CurrentControlSet\Control\Nls\Language]

• In order to hide files with "Hidden" and "System" attributes, the Trojan creates the following parameters in the system registry keys:

  [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
  "Hidden"=dword:00000002
  [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
  "ShowSuperHidden"=dword:00000000
  [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
  "CheckedValue"=dword:00000000
  

• If "iexplore.exe" is the parent process for this library, every 500 milliseconds the Trojan searches the stream for a window with the class name "IEFrame". If successful, it returns the descriptor of the found window to later process data entered into the browser by the user.
• It enables autorun for applications on removable media, adding the following value for the system registry key parameter:

  [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
  "NoDriveTypeAutoRun"=dword:00000091
  

• It creates the following registry keys:

  [HKCR\CLSID\MADOWN]
  "urlinfo"="dswdfre.q"
  
  [HKLM\Software\Classes\CLSID\MADOWN]
  "urlinfo"="dswdfre.q"
  

• It adds a mask to the NOD32 exception list for the domain from which the files are downloaded:

  [HKLM\Software\ESET\ESET Security\CurrentVersion\Plugins\01000200\Profiles\@My profile\UrlSets\Node_00000000]
  "Masks"="*www*|www.16***.com*"
  

• It downloads malware from the following URLs:

  http://www.16***u.com/1mg/am.rar
  http://www.go***ccf.com/1mg/am1.rar

  The files are saved in the current user's temporary files directory under the following names, respectively:

  %Temp%\am.exe
  %Temp%\am1.exe
  

  The file is 159 232 bytes in size.It is detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.Magania.dtyy.
  The Trojan then opens the file, decrypts the header of the executable file, and launches it for execution. The malware extracts the executable file into the current user's temporary files directory under the name:

  %Temp%\apiqq.exe

  Then, in order to ensure that it is launched automatically each time the system is rebooted, it adds a link to the executable file in the system registry autorun key:

  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
  "api32" = "%Temp%\apiqq.exe"
  

  It extracts a malicious library from its body, and saves it under one of the following names:

  %Temp%\apiqq0.dll 
  %Temp%\apiqq1.dll
  

  This file is 98 304 bytes in size.It is detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.Magania.dtyy.
• Once the system is rebooted, the Trojan deletes all interceptors installed in SSDT (System Service Dispatch Table), including antivirus applications.
• It blocks the renewal service for Kaspersky Anti-Virus by modifying the file "PrUpdate.ppl", and also prevents the execution of renewals for the following antiviruses:

  ALYac
  Avast
  AVG
  Antivir Guard
  McAfee 
  Norton Security Suite
  NOD32
  Symantec 
  Spyware Doctor Internet Security
  Trend Micro Internet Security
  Virus Chaser
  

• It steals confidential data from user accounts for the following games:

  World of Warcraft
  SilkRoad Online
  Knight Online
  CABAL Online
  Metin2
  MapleStory
  Dofus
  Guild Wars
  Aion
  Dungeon Fighter Online
  MU Online
  Seal Online
  EVE Online
  

• The Trojan sends the collected data to the malicious user's server via the following links:

  http://go***6s.com/y2y3/mfg/lin.asp
  http://go***6s.com/y2y3/mwo/lin.asp
  http://go***6s.com/y2y3/mqs/lin.asp
  http://go***6s.com/y2y3/msl/lin.asp
  http://go***6s.com/y2y3/ohs/lin.asp
  http://go***6s.com/y2y3/myt/lin.asp
  http://go***6s.com/y2y3/xfg/lin.asp
  http://go***6s.com/y2y3/tjt/lin.asp
  http://go***6s.com/y2y3/odo/lin.asp
  http://go***6s.com/y2y3/ofg/lin.asp
  http://go***6s.com/y2y3/dyt/lin.asp
  http://go***6s.com/y2y3/mjz/lin.asp
  http://go***6s.com/y2y3/yhz/lin.asp
  http://go***6s.com/y2y3/mnf/lin.asp
  http://go***6s.com/y2y3/mmu/lin.asp
  http://go***6s.com/y2y3/txw/lin.asp
  http://go***6s.com/y2y3/mev/lin.asp
  

Propagation

For its subsequent propagation the Trojan copies the following file:

%Temp%\herss.exe

into the root directories of all local drives, network drives, and removable drives, under the name:

X:\wyskq6lt.exe

where X is the letter of the disk partition. The Trojan creates the below file to autorun the executable file:

X:\autorun.inf

It writes the following strings to this file:

[AutoRun]
open=wyskq6lt.exe
shell\open\Command=wyskq6lt.exe

The Trojan assigns "Hidden", "Read Only", and "System" attributes to the created files.

Removal instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

1. Delete the following system registry key parameters:

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "api32" = "%Temp%\apiqq.exe"
   "cdoosoft"="%Temp%\herss.exe"
   

2. Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
3. Modify the following registry key parameters:

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   "Hidden"=dword:00000002
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   "ShowSuperHidden"=dword:00000000
   [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
   "CheckedValue"=dword:00000000
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   "NoDriveTypeAutoRun"=dword:00000091
   [HKLM\Software\ESET\ESET Security\CurrentVersion\Plugins\01000200\Profiles\@My profile\UrlSets\Node_00000000]
   "Masks"="*www*|www.163*.com*"

   To

   [
   HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   "Hidden"=dword:00000001
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   "ShowSuperHidden"=dword:00000001
   [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
   "CheckedValue"=dword:00000001
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   "NoDriveTypeAutoRun"=dword:00000255
   [HKLM\Software\ESET\ESET Security\CurrentVersion\Plugins\01000200\Profiles\@My profile\UrlSets\Node_00000000]
   "Masks"=""
   

4. Delete the following registry keys:

   [HKCR\CLSID\MADOWN]
   [HKLM\Software\Classes\CLSID\MADOWN]
   

5. Delete the following files:

   %Temp%\herss.exe
   %Temp%\apiqq.exe
   %Temp%\apiqq0.dll 
   %Temp%\apiqq1.dll
   %Temp%\am.exe
   %Temp%\am1.exe
   X:\wyskq6lt.exe
   X:\autorun.inf
   %Temp%\cvasds<rnd>.dll
   

   where rnd is a decimal number.
6. Restore antivirus components.
7. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).

Exploit.Java.CVE-2010-0840.b

Technical Details

This Trojan exploits a vulnerability in Oracle Java SE (CVE-2010-0840) to execute a random code on a vulnerable system. It is a Java class file. It is 6592 bytes in size.

Payload

A malicious Java applet is activated after an infected HTML page is opened in the user's browser. The applet is launched by means of an "<applet>" HTML tag for which the application's main class is indicated as one of parameters:

code='setup.lang.class'

The JAR archive contains this malicious class:

archive='tetris.jar'

as well as the "pid" parameter value containing an encrypted link. The exploit uses a vulnerability that enables the malicious applet to call privileged methods without a proper security check (CVE-2010-0840). This is how the exploit can execute a random code on the vulnerable system. Oracle Java SE and Java for Business are vulnerable:

• Java Development Kit (JDK) and Java Runtime Environment (JRE) 6.0, 18th update and earlier versions for Windows, Solaris and Linux;
• Java Development Kit (JDK) and Java Runtime Environment (JRE) 5.0, 23rd update and earlier versions for Solaris;
• Software Development Kit (SDK) 1.4.2, 25th update and earlier versions for Solaris.

After exploiting this vulnerability, the malware decrypts the link and uses it to download a file. The downloaded file is saved in the current user's temporary files directory under the name:

%Temp%\<rnd>.exe

where rnd is a random fractional number, for example, "0.8608151138918041" or "0.6955395946128761". The executable file is then launched for execution.

Removal instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

1. Delete the original exploit file (its location will depend on how the program originally penetrated the infected computer).
2. Update Oracle Java JRE and JDK to the latest versions.
3. Empty the Temporary Internet Files directory, which contains infected files (see How to delete infected files from Temporary Internet Files folder?):

   %Temporary Internet Files%

Trojan-Downloader.OSX.Flashfake

Technical Details

A family of malware for Mac OS X. The first versions of this type of threat were detected in September 2011. In March 2012 over 600 000 computers worldwide were infected by Flashback. The infected computers were combined in a botnet that enabled cybercriminals to install additional malicious modules on them at will. One of the modules is known to generate fake search engine results, displaying false results for users and generating profits for cybercriminals via ‘click fraud’. It is quite possible that, in addition to intercepting search engine traffic, cybercriminals can upload other malicious modules to infected computers – e.g. for data theft or spam distribution.

A Trojan program that downloads other malicious programs from the Internet and launches them on a victim machine without the user’s knowledge. The program is a Mac OS X (Mach-o) application. It is between 19,384 and 200,876 bytes in size. It is written in C++.

Payload

Once launched the Trojan attempts to upload additional malicious modules. Every 24 hours the Trojan tries to connect to 30 sites, generating 5 domain names while a further 25 are contained in the body of the malicious program itself. One of those sites (randomly chosen) hosts the botnet’s C&C server as deployed by the cybercriminals. The domains have names such as:

jobijoolkfip4oasdkf.com
ithfmmcoo400dmsddditofdl.com
utu9nnmkrogjfldoritvz.com
999rjjfnvmvciwepoqwejdsadkf.com
ighrueokdhfcnnsjwwqqllxz.com
itgii5fmmjmsppperujvmsdkkff.com
jtierodoxzwerkolun.com
iruifjckdlfqwexzcnvdkffd.com
all-nightmexicansoftstore.com
callmetonight911.com
oversellingresourcestoday.com
fasttrackanddeliverytoyourdoors.com
trustedsoftappstore.com
fantastischappstore.com
megastoreappsstore.com
catholicappstorecloud.com
bestcatholicianappstoretoday.com
onlinesoftstoreofweekend.com
knockoutpricesappstoreeveryday.com
svupsvc.com
ajovgdekxrmw.com
ggatocowtonwpn.com
wxsrnrskapelhy.com
ouspjintgjsrw.com 

The Trojan saves the downloaded modules in the following application folders:

/Applications/Safari.app/
/Applications/Firefox.app/
etc.

The downloaded files can be encrypted with the victim machine’s UUID. If loaded successfully, the Trojan sends a notification to its owners at the addresses:

http://adobesoftwareupdate.com/counter/
http://78.46.139.211/jcounter/    
etc.