Ilomo

This page shows details and results of our analysis on the malware Ilomo

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted, or may use other tools to assist in spreading. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.


Minimum Engine

5600.1067

File Length

Varies

Description Added

2006-02-08

Description Modified

2009-08-14

Malware Proliferation

Characteristics

--Update on July 31,2009--

The new variant is found downloading components that steal credential information, including components that monitor online bank to steal bank account. It also downloads password recovery program to retrieve passwords from a number of applications.

--Update on June 07,2009--

The new variant drops the following file:
%USER_PROFILE%\Application Data\xx.exe (file name is random)

The following registry key is added to hook system startup:
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run\xx: "%USER_PROFILE%\xx.exe" (registery key name is random.)

(where %USER_PROFILE% is the default user profile folder, for example C:\Documents and Settings\Administrator if the current user is Administrator.)

Additional Key Values are added:

  • HKEY_USERS\Software\Microsoft\Internet Explorer\Settings:
    • GID
    • GateList
    • KeyM
    • KeyE
    • PID

It creates a hidden iexplore.exe process and injects malicious code into it.

It attempts to connect the following server:

  • drug4sale.loderunner.in
  • re-factoring.cn
  • ltdomains.com
  • hostnoc.net
  • 66.96.234.5
  • booch.goochabamboocha.cn
  • forum.reversed.gs

At the time of testing, the GateList key value, contained the following IP:

  • 147.202.39.101
  • 195.225.236.4
  • 201.2.197.15
  • 202.181.96.87
  • 207.218.248.49
  • 147.202.39.101
  • 174.142.22.51
  • 195.12.38.103
  • 195.189.247.110
  • 195.225.236.4
  • 209.51.159.31
  • 209.85.120.100
  • 61.153.3.48
  • 64.18.143.52
  • 66.128.55.82
  • 66.199.237.139
  • 66.199.237.3
  • 66.225.237.140
  • 66.7.197.104
  • 66.96.234.5
  • 66.98.144.21
  • 66.98.153.17
  • 67.15.150.130
  • 67.15.161.131
  • 67.15.236.244
  • 67.228.138.10
  • 69.172.130.201
  • 69.57.140.181
  • 70.84.236.194
  • 72.233.28.167
  • 72.29.66.235
  • 78.108.183.225
  • 78.109.29.129
  • 78.109.30.213
  • 78.109.31.54
  • 78.47.214.117
  • 78.47.61.229
  • 78.47.61.232
  • 83.175.218.163
  • 84.16.229.188
  • 84.243.197.76
  • 87.118.101.27
  • 87.118.88.30
  • 92.48.96.229
  • 94.75.221.70

----------------------------------

Ilomo launches a hidden instance if iexplorer.exe then injects the process with malicious code that downloads and execute additional components from the web. The specific function of the downloaded components may vary depending upon when the infection occured and when components were downloaded. Information from the field suggests that this trojan may use Psexec to propogate itself.

Symptoms

  • A running iexplore.exe process from the logged on account with no visual interface.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • Select the Windows installation that is compromised and provide the administrator password.
  • Issue 'fixmbr' command to restore the Master Boot Record
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

  • Insert the Windows CD into the CD-ROM drive and restart the computer.
  • Click on "Repair Your Computer".
  • When the System Recovery Options dialog comes up, choose the Command Prompt.
  • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.

Variants