W32/Vulcanbot

This page shows details and results of our analysis on the malware W32/Vulcanbot

Overview

-- Update March 31, 2010 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://googleonlinesecurity.blogspot.com/2010/03/chilling-effects-of-malware.html

McAfee Labs has posted an FAQ on this threat - McAfee Labs W32/Vulcanbot Q&A

--

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.  The main objective of this trojan is to change the default DNS entries to its own preferred DNS server.


Minimum DAT

5870 (2010-01-23)

Updated DAT

5963 (2010-04-25)

Minimum Engine

5400.1158

File Length

Varies

Description Added

2010-01-23

Description Modified

2010-03-31

Malware Proliferation

Characteristics

Overview:

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.  The main objective of this trojan is to change the default DNS entries to its own preferred DNS server.


Characteristics:

W32/Vulcanbot is bot malware that attempts to establish a remote connection to an attacker-controlled host. The command and control communication is made using a non-standard protocol.

Upon installation the following events have been observed.

The following registry keys are added:

  • HKEY_CLASSES_ROOT\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}
  • HKEY_CLASSES_ROOT\CLSID\{78E5A540-1850-11CF-9D53-00AA003C9CB6}
  • HKEY_CLASSES_ROOT\CLSID\{AFC634B0-4B8B-11CF-8989-00AA00688B10}
  • HKEY_CLASSES_ROOT\CLSID\{B617B991-A767-4F05-99BA-AC6FCABB102E}
  • HKEY_CLASSES_ROOT\Interface\{3B7C8862-D78F-101B-B9B5-04021C009402
  • HKEY_CLASSES_ROOT\Interface\{859321D0-3FD1-11CF-8981-00AA00688B10}
  • HKEY_CLASSES_ROOT\Interface\{E9A5593C-CAB0-11D1-8C0B-0000F8754DA1}
  • HKEY_CLASSES_ROOT\Interface\{ED117630-4090-11CF-8981-00AA00688B10}
  • HKEY_CLASSES_ROOT\TypeLib\{3B7C8863-D78F-101B-B9B5-04021C009402}
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\jucheck
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\jucheck
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_JUCHECK
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jucheck
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\jucheck
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\jucheck
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JUCHECK
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jucheck
  • HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\jucheck\: "Service"
  • HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\jucheck\: "Service"
  • HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_JUCHECK\0000\Control\*NewlyCreated*: 0x00000000
  • HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_JUCHECK\0000\Control\ActiveService: "jucheck"
  • HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_JUCHECK\0000\Service: "jucheck"
  • HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_JUCHECK\0000\ConfigFlags: 0x00000000
  • HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_JUCHECK\0000\Class: "LegacyDriver"
  • HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_JUCHECK\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
  • HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_JUCHECK\0000\DeviceDes%RootDir% "Java online update program"
  • HKLM\SYSTEM\ControlSet001\Services\lanmanworkstation\DependOnService: 'jucheck'
  • HKLM\SYSTEM\ControlSet001\Services\lanmanworkstation\DependOnGroup: 00
  • HKLM\SYSTEM\ControlSet001\Services\jucheck\Enum\0: "Root\LEGACY_JUCHECK\0000"
  • HKLM\SYSTEM\ControlSet001\Services\jucheck\Enum\Count: 0x00000001
  • HKLM\SYSTEM\ControlSet001\Services\jucheck\Enum\NextInstance: 0x00000001
  • HKLM\SYSTEM\ControlSet001\Services\jucheck\Type: 0x00000010
  • HKLM\SYSTEM\ControlSet001\Services\jucheck\Start: 0x00000002
  • HKLM\SYSTEM\ControlSet001\Services\jucheck\ErrorControl: 0x00000002
  • HKLM\SYSTEM\ControlSet001\Services\jucheck\ImagePath: "[Path to executable]\jucheck.exe"
  • HKLM\SYSTEM\ControlSet001\Services\jucheck\DisplayName: "Java online update program"
  • HKLM\SYSTEM\ControlSet001\Services\jucheck\DependOnService: 'RpcSs'
  • HKLM\SYSTEM\ControlSet001\Services\jucheck\DependOnGroup: 00
  • HKLM\SYSTEM\ControlSet001\Services\jucheck\ObjectName: "LocalSystem"
  • HKLM\SYSTEM\CurrentControlSet\Services\jucheck\Enum\0: "Root\LEGACY_JUCHECK\0000"
  • HKLM\SYSTEM\CurrentControlSet\Services\jucheck\Enum\Count: 0x00000001
  • HKLM\SYSTEM\CurrentControlSet\Services\jucheck\Enum\NextInstance: 0x00000001
  • HKLM\SYSTEM\CurrentControlSet\Services\jucheck\Type: 0x00000010
  • HKLM\SYSTEM\CurrentControlSet\Services\jucheck\Start: 0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\jucheck\ErrorControl: 0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\jucheck\ImagePath: "[Path to executable]\jucheck.exe"
  • HKLM\SYSTEM\CurrentControlSet\Services\jucheck\DisplayName: "Java online update program"
  • HKLM\SYSTEM\CurrentControlSet\Services\jucheck\DependOnService: 'RpcSs'
  • HKLM\SYSTEM\CurrentControlSet\Services\jucheck\DependOnGroup: 00
  • HKLM\SYSTEM\CurrentControlSet\Services\jucheck\ObjectName: "LocalSystem"


The following keys are added to have the malware run at startup:

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "%SystemDirectory%\userinit.exe,[Path to executable]\[executable name].exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Userinit": "%SysDir%\userinit.exe, %RootDir%\Program Files\Adobe\AdobeUpdateManager.exe"
  •  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Windows Update "C:\Program Files\Windows NT\Windows Update\wuauclt.exe"

The following files are added to the host:

  • %UserDir%\Application Data\Java\jre6\bin\jucheck.exe
  • %UserDir%\Application Data\Java\jre6\bin\zf32.dll
  • %UserDir%\Application Data\Microsoft\Internet Explorer\Quick Launch\VPSKEYS 4.3.lnk
  • %RootDir%\Program Files\Adobe\AdobeUpdateManager.exe
  • %RootDir%\Program Files\Java\jre6\bin\jucheck.exe
  • %RootDir%\Program Files\Microsoft Office\Office11\OSA.exe
  • %SysDir%\mscommon.inf
  • %SysDir%\msconfig32.sys
  • %SysDir%\zf32.dll
  • %SysDir%\Setup\AdobeUpdateManager.exe
  • %SysDir%\Setup\jucheck.exe
  • %SysDir%\Setup\MPClient.exe
  • %SysDir%\Setup\MPSvc.exe
  • %SysDir%\Setup\OSA.exe
  • %SysDir%\Setup\wuauclt.exe
  • %SysDir%\Setup\zf32.dll

Note: where %UserDir% is the current user directory, %RootDir% is the root installation directory, and %SysDir%  is the Windows system directory (typically, Windows/System32).

Communication may be made with remote hosts over port 80, 2120, 8585 or other random high TCP ports.

The following domains were contacted during testing:

  • google.h[removed]nix.com
  • [removed]qwer.dyndns.org
  • blogspot.blogsite.org
  • [removed]ews.ath.cx
  • [removed]nix.com
  • [removed]mail.ath.cx

 

Symptoms

  • Existence of aforementioned files and registry keys.
  • Network connections to unexpected domains.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants