Technical Details
This Trojan installs other programs to the victim machine without the knowledge or consent of the user. It is a Windows application (PE EXE file). It is 21 580 bytes in size. It is packed using PE_Patch or UPack. The unpacked file is approximately 283 KB in size. It is written in C++.
Payload
Once launched, the Trojan creates a unique identifier to ensure that its process is unique in the system:
__NBA_MUTEX_0__
Also, the following directory is created in the root directory of the C drive:C:\<rnd>
where <rnd> is an eight-digit hexadecimal number generated on the basis of the current system time.
The directory is created with the "hidden" and "system" attributes.
If the Trojan detects the driver called "ProtectedC.sys", it extracts the following files from its body:
%ALLUSERSPROFILE%\Start Menu\Programs\Startup\human.exe
(4096 bytes; detected by Kaspersky Anti-Virus as "Trojan-Downloader.Win32.Small.yaa")\\.\Root#RCVYL#0000#KsecDD\%System%\mmc.exe
(4096 bytes; detected by Kaspersky Anti-Virus as "Trojan-Downloader.Win32.Small.yaa")\\.\Root#RCVYL#0000#KsecDD\%System%\user32.dll
(4096 bytes; detected by Kaspersky Anti-Virus as "Trojan.Win32.Patched.dz")\\.\Root#RCVYL#0000#KsecDD\%System%\winhlp32.exe
(4096 bytes; detected by Kaspersky Anti-Virus as "Trojan-Downloader.Win32.Small.xxg")
If the "hintFD.sys" driver is present in the system, the Trojan performs the following actions:
- It extracts the library from its body and saves it as:
C:\<rnd>\<rnd>.dll(4608 bytes; detected by Kaspersky Anti-Virus as "Trojan-Downloader.Win32.Small.yki") - It calls the "HookEnter" function from the extracted library.
- It extracts the following files from its body:
\\.\HintZ0\%System%\mmc.exe \\.\HintZ0\%System%\user32.dll \\.\HintZ0\%System%\winhlp32.exe \\.\HintZ3\%System%\mmc.exe \\.\HintZ3\%System%\user32.dll \\.\HintZ3\%System%\winhlp32.exeThese files are the same as those described above. - It calls the "HookLeave" function from the extracted "<rnd>.dll" library and deletes this library. The Trojan also performs the following actions:
- It terminates the "Beep" system service and substitutes its binary file:
%System%\drivers\beep.syswith the file it extracted from its own body. The file is 13 696 bytes in size. It is detected by Kaspersky Anti-Virus as "Trojan-Downloader.Win32.Small.xxh". The Trojan then restarts this service. - It restores the original content of the file:
%System%\drivers\beep.sys - It downloads a file from the Internet via the following link:
http://www.m***8.cn/new.txt (At the time of writing this link was inactive)The file is saved in the system as:C:\<rnd>\<rnd>It contains links used to download other malicious files to the infected computer. From these links, the Trojan downloads files and saves them to the directory "C:\<rnd>" under random names.Once successfully downloaded, the files will be launched for execution.
Removal instructions
If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
- Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
- Delete the directory "C:\<rnd>" and all of its contents.
- Delete files created by the Trojan:
%ALLUSERSPROFILE%\Start Menu\Programs\Startup\human.exe \\.\Root#RCVYL#0000#KsecDD\%System%\mmc.exe \\.\Root#RCVYL#0000#KsecDD\%System%\user32.dll \\.\Root#RCVYL#0000#KsecDD\%System%\winhlp32.exe \\.\HintZ0\%System%\mmc.exe \\.\HintZ0\%System%\user32.dll \\.\HintZ0\%System%\winhlp32.exe \\.\HintZ3\%System%\mmc.exe \\.\HintZ3\%System%\user32.dll \\.\HintZ3\%System%\winhlp32.exe
Žádné komentáře:
Okomentovat