Overview
This detection is for a malware, which when executed, attempts to connect to a list of predefined sites on port 443[SSL].
The characteristics of this malware with regards to file names used, sites contacted etc. could differ from variant to another. Hence, this is a general description.
|
Minimum DAT
5881 (2010-02-03) Updated DAT5881 (2010-02-03) |
Minimum Engine
5.3.00 File LengthVaries |
Description Added
2010-02-01 Description Modified2010-02-02 |
Malware Proliferation
Characteristics
-- Update February 2, 2010 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at: http://www.theregister.co.uk/2010/01/29/strange_ssl_web_attack/
--
When executed, this malware drops a copy of itself in the following location:
- %UserProfile%\imPlayok.exe
- %System%\imPlayok.exe
Note:
- %UserProfile% is a variable that specifies the current user's profile folder. By default, this is C:\Documents and Settings\[UserName]
- %System% is a variable that refers to the System folder. By default, this is C:\Windows\System32
The malware then creates the following registry entries to ensure its execution at system startup:
- HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run
imPlayok = "%System%\imPlayok.exe" - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
imPlayok = "%UserProfile%\imPlayok.exe"
Symptoms
- Presence of files and registry entries mentioned
- Increase in outbound SSL connections on port 443
Method of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial.
Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.
Removal
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Variants