W32/Routrobot.worm

This page shows details and results of our analysis on the malware W32/Routrobot.worm

Overview

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

File Information:

  • File Size - 607232 bytes
  • MD5 - C2193DC41061EF56591F4821392599CB
  • SHA1 - 80366CDE71B84606CE8ECF62B5BD2E459C54942E

Aliases:

  • F-Secure - Worm:W32/Prolaco.O
  • Kaspersky - Trojan.Win32.Buzus.dbfm
  • Microsoft - Worm:Win32/Prolaco.gen!C
  • Sunbelt - Worm.Win32.Prolaco.gen (v)


Minimum DAT

5881 (2010-02-03)

Updated DAT

6528 (2011-11-12)

Minimum Engine

5400.1158

File Length

Varies

Description Added

2010-02-03

Description Modified

2010-03-29

Malware Proliferation

Characteristics

-----Update on 29-03-2010------

File Information

  • MD5 - 65419ff82ac3ae8d15f828c29f3e6217
  • SHA - FAA689B0EBD5F4883F4F2523E05AB7AE09815CEC

Upon execution, the Trojan drops the following files:

  • %WinDir%\mswinsck.dat [Hidden]
  • %WinDir%\system32\javawss.exe [Detected as Generic.dx!osm]

And also the Trojan copies itself into the following location.

  • %WinDir%\system32\javan.exe [Detected as W32/Routrobot.worm]

The Trojan connects to "Whatismyip.com" to get the victim's IP address.

This Trojan also spreads by copying itself into the following shared folders of Peer-2-Peer Applications.

  • %ProgramFiles%\LimeWire\Shared\
  • %ProgramFiles%\Grokster\My Grokster\
  • %ProgramFiles%\Morpheus\My Shared Folder\

The Trojan creates copies of itself in the above mentioned folders by enticing the following files.

  • K-Lite Mega Codec v5.5.1.exe
  • YouTubeGet 5.4.exe
  • Windows 2008 Enterprise Server VMWare Virtual Machine.exe
  • K-Lite Mega Codec v5.6.1 Portable.exe
  • Adobe Photoshop CS4 crack.exe
  • VmWare 7.0 keygen.exe
  • WinRAR v3.x keygen RaZoR.exe
  • Twitter FriendAdder 2.1.1.exe
  • PDF Unlocker v2.0.3.exe
  • Image Size Reducer Pro v1.0.1.exe
  • Anti-Porn v13.5.12.29.exe
  • Norton Internet Security 2010 crack.exe
  • Kaspersky AntiVirus 2010 crack.exe
  • PDF-XChange Pro.exe
  • Windows 7 Ultimate keygen.exe
  • RapidShare Killer AIO 2010.exe
  • Ashampoo Snap 3.02.exe
  • Blaze DVD Player Pro v6.52.exe
  • Adobe Illustrator CS4 crack.exe
  • Rapidshare Auto Downloader 3.8.exe
  • Trojan Killer v2.9.4173.exe
  • PDF to Word Converter 3.0.exe
  • Google SketchUp 7.1 Pro.exe
  • McAfee Total Protection 2010.exe
  • Mp3 Splitter and Joiner Pro v3.48.exe
  • Youtube Music Downloader 1.0.exe
  • Adobe Acrobat Reader keygen.exe
  • VmWare keygen.exe
  • AnyDVD HD v.6.3.1.8 Beta incl crack.exe
  • Ad-aware 2010.exe
  • BitDefender AntiVirus 2010 Keygen.exe
  • Norton Anti-Virus 2010 Enterprise Crack.exe
  • Total Commander7 license+keygen.exe
  • LimeWire Pro v4.18.3.exe
  • Download Accelerator Plus v9.exe
  • Internet Download Manager V5.exe
  • Myspace theme collection.exe
  • Nero 9 9.2.6.0 keygen.exe
  • Motorola, nokia, ericsson mobil phone tools.exe
  • Absolute Video Converter 6.2.exe
  • Daemon Tools Pro 4.11.exe
  • Download Boost 2.0.exe
  • Avast 4.8 Professional.exe
  • Grand Theft Auto IV (Offline Activation).exe
  • Alcohol 120 v1.9.7.exe
  • CleanMyPC Registry Cleaner v6.02.exe
  • Super Utilities Pro 2009 11.0.exe
  • Power ISO v4.2 + keygen axxo.exe
  • G-Force Platinum v3.7.5.exe
  • Divx Pro 7 + keymaker.exe
  • Magic Video Converter 8 0 2 18.exe
  • Sophos antivirus updater bypass.exe
  • DVD Tools Nero 10.5.6.0.exe
  • Winamp.Pro.v7.33.PowerPack.Portable+installer.exe
  • PDF password remover (works with all acrobat reader).exe
  • Microsoft.Windows 7 ULTIMATE FINAL activator+keygen x86.exe
  • Windows2008 keygen and activator.exe
  • Tuneup Ultilities 2010.exe
  • Kaspersky Internet Security 2010 keygen.exe
  • Windows XP PRO Corp SP3 valid-key generator.exe
  • Starcraft2 Patch v0.2.exe
  • Starcraft2 keys.txt.exe
  • Starcraft2 Crack.exe
  • Starcraft2 Oblivion DLL.exe
  • Starcraft2.exe

The following registry keys have been added to the system.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7F2G3GXM-HP26-D7E5-F3LM-82EG3114PI2D}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\japplet3
  • HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\japplet3

The following registry values have been added.

The Trojan registers itself as an authorized application with the Windows Firewall by adding the following value to the registry key.

  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\]
          %WinDir%\System32\javan.exe = "%WinDir%\System32\javan.exe:*:Enabled:Explorer"

Below mentioned registries ensure that, the malware binary registers itself with the compromised system and executes itself on every reboot.

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7F2G3GXM-HP26-D7E5-F3LM-82EG3114PI2D}\]
          StubPath = "%WinDir%\System32\javawss.exe
  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\]
          Cisco Systems VPN client = "%WinDir%\System32\javawss.exe"
  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
          SunJavaUpdaterv14 = "%WinDir%\System32\javan.exe"
  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
          Cisco Systems VPN client = "%WinDir%\System32\javawss.exe"

The following registry values have been modified.

  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc\]
          "Start" = "0x00000004"

The above mentioned registry entry confirms that, the Trojan disables the Error Reporting Service (ERSvc).

[Where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc and %Programfiles% is C:\Program Files\.]

The Trojan Connects to the following IP Addresses.

  • 202.54.[Removed].60 through remote port 53.
  • 204.13.[Removed].126 through remote port 443.

----------------------------------------------------------------------------------------------------

-----Update on 11-03-2010------

File Information

    • MD5 - eca1407e247ccc71792f5905c0f6e4bf
    • SHA - 227D4018B258AE844D3639B46BC634D0709549FD

Upon execution, the worm copies itself into the following location

    • %WinDir%\system32\javaupdater.exe

The worm spreads by copying itself into the shared folders of Peer-2-Peer Applications using the following names.

(Generally, the file names used are of popular applications and their cracks/keygens)

Shared Folders

    • %ProgramFiles%\winmx\shared\
    • %ProgramFiles%\tesla\files\
    • %ProgramFiles%\morpheus\my shared folder\
    • %ProgramFiles%\emule\incoming\
    • %ProgramFiles%\edonkey2000\incoming\
    • %ProgramFiles%\bearshare\shared\
    • %ProgramFiles%\grokster\my grokster\
    • %ProgramFiles%\icq\shared folder\
    • %ProgramFiles%\kazaa lite k++\my shared folder\
    • %ProgramFiles%\kazaa lite\my shared folder\
    • %ProgramFiles%\kazaa\my shared folder\

File Names

    • K-Lite Mega Codec v5.5.1.exe
    • YouTubeGet 5.4.exe
    • Windows 2008 Enterprise Server VMWare Virtual Machine.exe
    • K-Lite Mega Codec v5.6.1 Portable.exe
    • Adobe Photoshop CS4 crack.exe
    • VmWare 7.0 keygen.exe
    • WinRAR v3.x keygen RaZoR.exe
    • Twitter FriendAdder 2.1.1.exe
    • PDF Unlocker v2.0.3.exe
    • Image Size Reducer Pro v1.0.1.exe
    • Anti-Porn v13.5.12.29.exe
    • Norton Internet Security 2010 crack.exe
    • Kaspersky AntiVirus 2010 crack.exe
    • PDF-XChange Pro.exe
    • Windows 7 Ultimate keygen.exe
    • RapidShare Killer AIO 2010.exe
    • Ashampoo Snap 3.02.exe
    • Blaze DVD Player Pro v6.52.exe
    • Adobe Illustrator CS4 crack.exe
    • Rapidshare Auto Downloader 3.8.exe
    • Worm Killer v2.9.4173.exe
    • PDF to Word Converter 3.0.exe
    • Google SketchUp 7.1 Pro.exe
    • McAfee Total Protection 2010.exe
    • Mp3 Splitter and Joiner Pro v3.48.exe
    • Youtube Music Downloader 1.0.exe
    • Adobe Acrobat Reader keygen.exe
    • VmWare keygen.exe
    • AnyDVD HD v.6.3.1.8 Beta incl crack.exe
    • Ad-aware 2010.exe
    • BitDefender AntiVirus 2010 Keygen.exe
    • Norton Anti-Virus 2010 Enterprise Crack.exe
    • Total Commander7 license+keygen.exe
    • LimeWire Pro v4.18.3.exe
    • Download Accelerator Plus v9.exe
    • Internet Download Manager V5.exe
    • Myspace theme collection.exe
    • Nero 9 9.2.6.0 keygen.exe
    • Motorola, nokia, ericsson mobil phone tools.exe
    • Absolute Video Converter 6.2.exe
    • Daemon Tools Pro 4.11.exe
    • Download Boost 2.0.exe
    • Avast 4.8 Professional.exe
    • Grand Theft Auto IV (Offline Activation).exe
    • Alcohol 120 v1.9.7.exe
    • CleanMyPC Registry Cleaner v6.02.exe
    • Super Utilities Pro 2009 11.0.exe
    • Power ISO v4.2 + keygen axxo.exe
    • G-Force Platinum v3.7.5.exe
    • Divx Pro 7 + keymaker.exe
    • Magic Video Converter 8 0 2 18.exe
    • Sophos antivirus updater bypass.exe
    • DVD Tools Nero 10.5.6.0.exe
    • Winamp.Pro.v7.33.PowerPack.Portable+installer.exe
    • PDF password remover (works with all acrobat reader).exe
    • Microsoft.Windows 7 ULTIMATE FINAL activator+keygen x86.exe
    • Windows2008 keygen and activator.exe
    • Tuneup Ultilities 2010.exe
    • Kaspersky Internet Security 2010 keygen.exe
    • Windows XP PRO Corp SP3 valid-key generator.exe
    • Starcraft2 Patch v0.2.exe
    • Starcraft2 keys.txt.exe
    • Starcraft2 Crack.exe
    • Starcraft2 Oblivion DLL.exe
    • Starcraft2.exe

Also, the Worm downloads a file in the following location

    • %AppData%\SystemProc\lsass.exe

When executed, the Worm connects to the site "whatismyip.com" to retrieve the IP address of the victims machine, and also the Worm injects its code into svchost.exe to connect to the IP address 202.54.[removed].60 through a remote port 53.

The following registry keys have been added to the system

    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\japplet2]

The following registry values have been added to the system

    • [HKEY_USERS\S-1(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
      "SunJavaUpdate01:" = "%WinDir%\system32\ javaupdater.exe"

The above mentioned registry entry confirms that, the Worm executes ever time when windows starts.

The Worm disables the windows User Access Control (UAC) alerts by adding the following value to the registry key.

    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\]
      "UACDisableNotify:" = "0x00000001"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\]
      "EnableLUA:" = "0x00000000"

The Worm registers itself as an authorized application with the Windows Firewall by adding the following values to the registry key.

    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\]
      %WinDir%\System32\javaupdater.exe:= "%WinDir%\System32\javaupdater.exe:*:Enabled:Explorer"

The following registry values have been modified

    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ERSvc\]
      Start: = 0x00000004
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc\]
      Start: = 0x00000004
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc\]
      Start:=  0x00000004
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\]
      Start:= 0x00000004

The above mentioned registry entry confirms that, the Worm disables the Error Reporting Service (ERSvc) and Windows Security Center Service (wscsvc).

Once the users system is compromised, the Worm spy's the search keywords given in the following familiar search engines.

    • Google
    • yahoo
    • live
    • msn
    • bing

Also, the Worm omits the following search keywords

    • cialis
    • pharma
    • casino
    • finance
    • mortgage
    • insurance
    • gambling
    • health
    • hotel
    • travel
    • antivirus
    • antivir
    • pocker
    • poker
    • video
    • baby
    • bany
    • porn
    • golf
    • diet
    • vocations
    • design
    • graphic
    • football
    • footbal
    • estate
    • job
    • baseball
    • shop
    • books
    • gifts
    • money
    • spyware
    • credit
    • loans
    • loan
    • dating
    • ebay
    • myspace
    • virus
    • film
    • ipod
    • verizon
    • amazon
    • iphone
    • software
    • movie
    • mobile
    • bank
    • music
    • cars
    • craigslist
    • game
    • sex
    • sport
    • medical
    • school
    • wallpaper
    • dvd
    • military
    • weather
    • twitter
    • fashion
    • spybot
    • trading
    • tramadol
    • yobt
    • flower
    • cigarettes
    • doctor
    • flights
    • airlines
    • comcast
    • Explorer
    • Opera
    • Chrome

This Worm spreads by copying itself into any removable media connected to the system and creates an "autorun.inf" file to execute itself whenever the device is connected to another system.

[Where %WinDir% is the Windows Directory - for example C:\Windows, %ProgramFiles% is C:\Program Files and %AppData% is C:\Documents and Settings\[UserName]\Application Data]

                                       ---------------------------------------------

W32/Routrobot.worm is a worm that spreads via e-mail, removable drives and Peer-to-Peer file sharing networks. This worm also lowers security settings of the compromised system.

W32/Routrobot.worm copies itself to the following shared folders of popular peer-to-peer file sharing applications:

  • %ProgramFiles%\LimeWire\Shared\
  • %ProgramFiles%\Grokster\My Grokster\
  • %ProgramFiles%\Morpheus\My Shared Folder\

The worm creates copies of itself in the above mentioned folders with the following enticing filenames:

    • K-Lite Mega Codec v5.5.1.exe
    • YouTubeGet 5.4.exe
    • Windows 2008 Enterprise Server VMWare Virtual Machine.exe
    • K-Lite Mega Codec v5.6.1 Portable.exe
    • Adobe Photoshop CS4 crack.exe
    • VmWare 7.0 keygen.exe
    • WinRAR v3.x keygen RaZoR.exe
    • Twitter FriendAdder 2.1.1.exe
    • PDF Unlocker v2.0.3.exe
    • Image Size Reducer Pro v1.0.1.exe
    • Anti-Porn v13.5.12.29.exe
    • Norton Internet Security 2010 crack.exe
    • Kaspersky AntiVirus 2010 crack.exe
    • PDF-XChange Pro.exe
    • Windows 7 Ultimate keygen.exe
    • RapidShare Killer AIO 2010.exe
    • Ashampoo Snap 3.02.exe
    • Blaze DVD Player Pro v6.52.exe
    • Adobe Illustrator CS4 crack.exe
    • Rapidshare Auto Downloader 3.8.exe
    • Trojan Killer v2.9.4173.exe
    • PDF to Word Converter 3.0.exe
    • Google SketchUp 7.1 Pro.exe
    • McAfee Total Protection 2010.exe
    • Mp3 Splitter and Joiner Pro v3.48.exe
    • Youtube Music Downloader 1.0.exe
    • Adobe Acrobat Reader keygen.exe
    • VmWare keygen.exe
    • AnyDVD HD v.6.3.1.8 Beta incl crack.exe
    • Ad-aware 2010.exe
    • BitDefender AntiVirus 2010 Keygen.exe
    • Norton Anti-Virus 2010 Enterprise Crack.exe
    • Total Commander7 license+keygen.exe
    • LimeWire Pro v4.18.3.exe
    • Download Accelerator Plus v9.exe
    • Internet Download Manager V5.exe
    • Myspace theme collection.exe
    • Nero 9 9.2.6.0 keygen.exe
    • Motorola, nokia, ericsson mobil phone tools.exe
    • Absolute Video Converter 6.2.exe
    • Daemon Tools Pro 4.11.exe
    • Download Boost 2.0.exe
    • Avast 4.8 Professional.exe
    • Grand Theft Auto IV (Offline Activation).exe
    • Alcohol 120 v1.9.7.exe
    • CleanMyPC Registry Cleaner v6.02.exe
    • Super Utilities Pro 2009 11.0.exe
    • Power ISO v4.2 + keygen axxo.exe
    • G-Force Platinum v3.7.5.exe
    • Divx Pro 7 + keymaker.exe
    • Magic Video Converter 8 0 2 18.exe
    • Sophos antivirus updater bypass.exe
    • DVD Tools Nero 10.5.6.0.exe
    • Winamp.Pro.v7.33.PowerPack.Portable+installer.exe
    • PDF password remover (works with all acrobat reader).exe
    • Microsoft.Windows 7 ULTIMATE FINAL activator+keygen
    • Windows2008 keygen and activator.exe
    • Tuneup Ultilities 2010.exe
    • Kaspersky Internet Security 2010 keygen.exe
    • Windows XP PRO Corp SP3 valid-key generator.exe

Upon execution the malware binary copies itself in the following system location:

  • %SysDir%\GoogleUpdate.exe

The malware binary drops the following files:

  • %SysDir%\stacsv.exe
  • %SysDir%\bootstat.ocx [Hidden]

The file name "bootstat.ocx" captures all the keystrokes of the compromised user and sends that information to the remote attacker.

When executed the malware binary connects to the Web site 'whatismyip.com' to retrieve the IP address of the infected machine.

The following registry entries have been added to the compromised system:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4207UWF4-IXEP-UTPF-2TDE-6606643L1T10}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Google1
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy

The following registry values have been added:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4207UWF4-IXEP-UTPF-2TDE-6606643L1T10}\StubPath: ""%SysDir%\stacsv.exe""

The worm registers itself as an authorized application with the Windows Firewall by adding the following value to the registry key:

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%SysDir%\GoogleUpdate.exe: "%SysDir%\GoogleUpdate.exe:*:Enabled:Explorer"

The worm executes itself on every reboot, by adding the following registry value:

  • HKEY_USERS\S-1-5-21-1004336348-1326574676-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Sun Java Updater: "%SysDir%\stacsv.exe"
  • HKEY_USERS\S-1-5-21-1004336348-1326574676-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run\Google Update: "%SysDir%\GoogleUpdate.exe"
  • HKEY_USERS\S-1-5-21-1004336348-1326574676-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run\Sun Java Updater: "%SysDir%\stacsv.exe"

The following registry values have been modified:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc\Start: 0x00000004

The above mentioned registry entry confirms that, the worm disables the Error Reporting Service (ERSvc) and Windows Security Center Service (wscsvc).

[Where %SysDir% is the Windows System Directory - for example C:\Windows\System32\ and %Programfiles% is C:\Program Files\]

Symptoms

  • Presence of above mentioned behavior and registry entries.
  • Presence of above mentioned files.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

-----------------------------------------------------------------------------------------------------------

Update on 21-Feb-2010

File Information:

  • File Size - 614400 bytes
  • MD5 -  E94A8FA4FA9067136E4C6A2B43F30D93

Upon execution the malware binary copies itself in the following system location:

  • %System%\GoogleMapper.exe

The malware drops the following files upon execution:

  • %AppData%\SystemProc\lsass.exe
  • %ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
  • %ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
  • %ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf

The following directories were created:

  • %AppData%\SystemProc
  • %ProgramFiles%\Mozilla Firefox
  • %ProgramFiles%\Mozilla Firefox\extensions
  • %ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}
  • %ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome
  • %ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content

Note

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following services were stopped by the malware in order lower the security settings of the compromised machine

  • Error Reporting Service - ERSvc
  • Security Center - wscsvc

The following were the registry modifications made by the malware

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\googlex2
  • HKEY_CURRENT_USER\Software\Microsoft\googlex2

The below registry key is modified to avoid the security notifaction from the security center

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center             "UACDisableNotify" = "0x00000001 "

The malware creates the following registry entries to run upon system start up.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run "RTHDBPL"  = "%AppData%\SystemProc\lsass.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run   "GoogleUpdater3"  =  "%\system32\GoogleMapper.exe"

This bot connects to the following servers

fermi.brixworx.com
guardian.cin.net
lurch.playbeing.com
oak.cin.net
mailhost.cin.net
ken.mailclub.fr
bradley.rrom17.com
mx2.cs.tut.fi
smtp2.cs.tut.fi
mx.cs.tut.fi
95-91-65-181-dynip.superkabel.de
mail178.messagelabs.com
mail.philosys.de
mail194.messagelabs.com
methuselah.bigwig.net
mailcs.tut.fi
mx2.CARNet.hr
mail.CARNet.hr
lemorh.ieee.org
hormel.ieee.org
207.47.72.28.static.nectweb.net
mx.tech.numericable.fr
portaol-front.tech.numericable.net
pop-noos.tech.numericable.net
smtp.tech.tech.numericable.net
smtp-mx3.alcatel.fr
mango.itojun.org
mail6.i.s-o.net
mx2.3ti.be
mxs.midg3t.net
mlnetlabs.nl
petit-huguenin.org
sbcmx5.prodigy.net
teluna.org
mandatory.mantraonline.com
hydra.gt.owl.de
bangpath.wcico.de
mail1.scram.de
ns.scram.de
mx2.uq.edu.au
spider.end.uq.edu.au
cheque1.cheque.uq.edu.au
gateway.atrie.de
mx1.advalvas.be
193.227.114.116.nmv.be

-----------------------------------------------------------------------------------------------------------

Update on 02-March-2010

In addition to the aforementioned functionality, the malware may also exhibit the following characteristics:

Upon execution the malware binary copies itself in the following system location:

  •  %System%\Javaupdater.exe   
  • %System%\JNotifier.exe

The malware also drops the following files upon execution:

  • %AppData%\SystemProc\lsass.exe
  • %ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
  • %ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
  • %ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf

The malware may also drop a copy of itself into popular fileshare directories with filenames such as:

  • Absolute Video Converter 6.2.exe
  • Ad-aware 2010.exe
  • Adobe Acrobat Reader keygen.exe
  • Adobe Illustrator CS4 crack.exe
  • Adobe Photoshop CS4 crack.exe
  • Alcohol 120 v1.9.7.exe
  • Anti-Porn v13.5.12.29.exe
  • AnyDVD HD v.6.3.1.8 Beta incl crack.exe
  • Ashampoo Snap 3.02.exe
  • Avast 4.8 Professional.exe
  • BitDefender AntiVirus 2010 Keygen.exe
  • Blaze DVD Player Pro v6.52.exe
  • CleanMyPC Registry Cleaner v6.02.exe
  • Daemon Tools Pro 4.11.exe
  • Divx Pro 7 + keymaker.exe
  • Download Accelerator Plus v9.exe
  • Download Boost 2.0.exe
  • DVD Tools Nero 10.5.6.0.exe
  • G-Force Platinum v3.7.5.exe
  • Google SketchUp 7.1 Pro.exe
  • Grand Theft Auto IV (Offline Activation).exe
  • Image Size Reducer Pro v1.0.1.exe
  • Internet Download Manager V5.exe
  • Kaspersky AntiVirus 2010 crack.exe
  • Kaspersky Internet Security 2010 keygen.exe
  • K-Lite Mega Codec v5.5.1.exe
  • K-Lite Mega Codec v5.6.1 Portable.exe
  • LimeWire Pro v4.18.3.exe
  • Magic Video Converter 8 0 2 18.exe
  • McAfee Total Protection 2010.exe
  • Microsoft.Windows 7 ULTIMATE FINAL activator+keygen x86.exe
  • Motorola, nokia, ericsson mobil phone tools.exe
  • Mp3 Splitter and Joiner Pro v3.48.exe
  • Myspace theme collection.exe
  • Nero 9 9.2.6.0 keygen.exe
  • Norton Anti-Virus 2010 Enterprise Crack.exe
  • Norton Internet Security 2010 crack.exe
  • PDF password remover (works with all acrobat reader).exe
  • PDF to Word Converter 3.0.exe
  • PDF Unlocker v2.0.3.exe
  • PDF-XChange Pro.exe
  • Power ISO v4.2 + keygen axxo.exe
  • Rapidshare Auto Downloader 3.8.exe
  • RapidShare Killer AIO 2010.exe
  • Sophos antivirus updater bypass.exe
  • Super Utilities Pro 2009 11.0.exe
  • Total Commander7 license+keygen.exe
  • Trojan Killer v2.9.4173.exe
  • Tuneup Ultilities 2010.exe
  • Twitter FriendAdder 2.1.1.exe
  • VmWare 7.0 keygen.exe
  • VmWare keygen.exe
  • Winamp.Pro.v7.33.PowerPack.Portable+installer.exe
  • Windows 2008 Enterprise Server VMWare Virtual Machine.exe
  • Windows 7 Ultimate keygen.exe
  • Windows XP PRO Corp SP3 valid-key generator.exe
  • Windows2008 keygen and activator.exe
  • WinRAR v3.x keygen RaZoR.exe
  • Youtube Music Downloader 1.0.exe
  • YouTubeGet 5.4.exe

 

The following directories were created:

  •  %AppData%\SystemProc
  • %ProgramFiles%\Mozilla Firefox
  •  %ProgramFiles%\Mozilla Firefox\extensions
  •  %ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}
  •  %ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome
  •  %ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content

Note

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following services were stopped by the malware in order lower the security settings of the compromised machine

  • Error Reporting Service - ERSvc
  • Security Center - wscsvc
  • McAfee Antivirus - McShield

The following were the registry modifications can be made by the malware:

  •  HKEY_CURRENT_USER\Software\Microsoft\japplet2
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\TaskManager
  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\japplet2
  •  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
  • HKEY_CURRENT_USER\Software\Microsoft\Visual Basic
  • HKEY_CURRENT_USER\Software\Microsoft\Visual Basic\6.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
         HKEY_KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

The malware creates the following registry entries to run upon system start up.

  •  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "SunJavaUpdaterv13"
       Data: C:\WINDOWS\System32\javaupdater.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run "RTHDBPL"
      Data: C:\Documents and Settings\Administrator\Application Data\SystemProc\lsass.exe

Firewall access is modified through the following:

  •  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\WINDOWS\System32\javaupdater.exe"
       Data: C:\WINDOWS\System32\javaupdater.exe:*:Enabled:Explorer
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\WINDOWS\system32\javaupdater.exe"
       Data: C:\WINDOWS\system32\javaupdater.exe:*:Enabled:Explorer

This bot attempts connections with the following servers:

  • controllrx.com
  • lnub.pbz
  • gevpbzerfrnepu.pbz
  • gmx.de
  • t-online.de
  • andlabs.org
  • smtp.secureserver.net
  • phreaker.net
  • mailstore1.secureserver.net
  • pacbell.netw\302\266hb
  • scintilla.org
  • mf.surf.net
  • kommunikation.t-online.de
  • gto.net.om
  • cwi.nl
  • python.org
  • iquest.net

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants