W32/Vulcanbot

Overview:

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.  The main objective of this trojan is to change the default DNS entries to its own preferred DNS server.

Characteristics:

W32/Vulcanbot is bot malware that attempts to establish a remote connection to an attacker-controlled host. The command and control communication is made using a non-standard protocol.

Upon installation the following events have been observed.

The following registry keys are added:

• HKEY_CLASSES_ROOT\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}
• HKEY_CLASSES_ROOT\CLSID\{78E5A540-1850-11CF-9D53-00AA003C9CB6}
• HKEY_CLASSES_ROOT\CLSID\{AFC634B0-4B8B-11CF-8989-00AA00688B10}
• HKEY_CLASSES_ROOT\CLSID\{B617B991-A767-4F05-99BA-AC6FCABB102E}
• HKEY_CLASSES_ROOT\Interface\{3B7C8862-D78F-101B-B9B5-04021C009402
• HKEY_CLASSES_ROOT\Interface\{859321D0-3FD1-11CF-8981-00AA00688B10}
• HKEY_CLASSES_ROOT\Interface\{E9A5593C-CAB0-11D1-8C0B-0000F8754DA1}
• HKEY_CLASSES_ROOT\Interface\{ED117630-4090-11CF-8981-00AA00688B10}
• HKEY_CLASSES_ROOT\TypeLib\{3B7C8863-D78F-101B-B9B5-04021C009402}
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\jucheck
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\jucheck
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_JUCHECK
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jucheck
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\jucheck
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\jucheck
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JUCHECK
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jucheck
• HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\jucheck\: "Service"
• HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\jucheck\: "Service"
• HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_JUCHECK\0000\Control\*NewlyCreated*: 0x00000000
• HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_JUCHECK\0000\Control\ActiveService: "jucheck"
• HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_JUCHECK\0000\Service: "jucheck"
• HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_JUCHECK\0000\ConfigFlags: 0x00000000
• HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_JUCHECK\0000\Class: "LegacyDriver"
• HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_JUCHECK\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
• HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_JUCHECK\0000\DeviceDes%RootDir% "Java online update program"
• HKLM\SYSTEM\ControlSet001\Services\lanmanworkstation\DependOnService: 'jucheck'
• HKLM\SYSTEM\ControlSet001\Services\lanmanworkstation\DependOnGroup: 00
• HKLM\SYSTEM\ControlSet001\Services\jucheck\Enum\0: "Root\LEGACY_JUCHECK\0000"
• HKLM\SYSTEM\ControlSet001\Services\jucheck\Enum\Count: 0x00000001
• HKLM\SYSTEM\ControlSet001\Services\jucheck\Enum\NextInstance: 0x00000001
• HKLM\SYSTEM\ControlSet001\Services\jucheck\Type: 0x00000010
• HKLM\SYSTEM\ControlSet001\Services\jucheck\Start: 0x00000002
• HKLM\SYSTEM\ControlSet001\Services\jucheck\ErrorControl: 0x00000002
• HKLM\SYSTEM\ControlSet001\Services\jucheck\ImagePath: "[Path to executable]\jucheck.exe"
• HKLM\SYSTEM\ControlSet001\Services\jucheck\DisplayName: "Java online update program"
• HKLM\SYSTEM\ControlSet001\Services\jucheck\DependOnService: 'RpcSs'
• HKLM\SYSTEM\ControlSet001\Services\jucheck\DependOnGroup: 00
• HKLM\SYSTEM\ControlSet001\Services\jucheck\ObjectName: "LocalSystem"
• HKLM\SYSTEM\CurrentControlSet\Services\jucheck\Enum\0: "Root\LEGACY_JUCHECK\0000"
• HKLM\SYSTEM\CurrentControlSet\Services\jucheck\Enum\Count: 0x00000001
• HKLM\SYSTEM\CurrentControlSet\Services\jucheck\Enum\NextInstance: 0x00000001
• HKLM\SYSTEM\CurrentControlSet\Services\jucheck\Type: 0x00000010
• HKLM\SYSTEM\CurrentControlSet\Services\jucheck\Start: 0x00000002
• HKLM\SYSTEM\CurrentControlSet\Services\jucheck\ErrorControl: 0x00000002
• HKLM\SYSTEM\CurrentControlSet\Services\jucheck\ImagePath: "[Path to executable]\jucheck.exe"
• HKLM\SYSTEM\CurrentControlSet\Services\jucheck\DisplayName: "Java online update program"
• HKLM\SYSTEM\CurrentControlSet\Services\jucheck\DependOnService: 'RpcSs'
• HKLM\SYSTEM\CurrentControlSet\Services\jucheck\DependOnGroup: 00
• HKLM\SYSTEM\CurrentControlSet\Services\jucheck\ObjectName: "LocalSystem"

The following keys are added to have the malware run at startup:

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "%SystemDirectory%\userinit.exe,[Path to executable]\[executable name].exe"
• HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Userinit": "%SysDir%\userinit.exe, %RootDir%\Program Files\Adobe\AdobeUpdateManager.exe"
•  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Windows Update "C:\Program Files\Windows NT\Windows Update\wuauclt.exe"

The following files are added to the host:

• %UserDir%\Application Data\Java\jre6\bin\jucheck.exe
• %UserDir%\Application Data\Java\jre6\bin\zf32.dll
• %UserDir%\Application Data\Microsoft\Internet Explorer\Quick Launch\VPSKEYS 4.3.lnk
• %RootDir%\Program Files\Adobe\AdobeUpdateManager.exe
• %RootDir%\Program Files\Java\jre6\bin\jucheck.exe
• %RootDir%\Program Files\Microsoft Office\Office11\OSA.exe
• %SysDir%\mscommon.inf
• %SysDir%\msconfig32.sys
• %SysDir%\zf32.dll
• %SysDir%\Setup\AdobeUpdateManager.exe
• %SysDir%\Setup\jucheck.exe
• %SysDir%\Setup\MPClient.exe
• %SysDir%\Setup\MPSvc.exe
• %SysDir%\Setup\OSA.exe
• %SysDir%\Setup\wuauclt.exe
• %SysDir%\Setup\zf32.dll

Note: where %UserDir% is the current user directory, %RootDir% is the root installation directory, and %SysDir%  is the Windows system directory (typically, Windows/System32).

Communication may be made with remote hosts over port 80, 2120, 8585 or other random high TCP ports.

The following domains were contacted during testing:

• google.h[removed]nix.com
• [removed]qwer.dyndns.org
• blogspot.blogsite.org
• [removed]ews.ath.cx
• [removed]nix.com
• [removed]mail.ath.cx

• Existence of aforementioned files and registry keys.
• Network connections to unexpected domains.

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).