(aka Win32/Alcan.J, Win32.Worm.VB.Ymeak.A, Trojan.Dropper.Win32.VB.Lu )
[Description]
This worm is designed to spread by using various P2P file sharing applications
When it is executed it will create a copy in the startup folder for all users
with the name svchost.exe
After that it will show a message in order to fool the user that the file can't be run:
The setup file is corrupted
After you click on OK, it will launch the svchost copy and the original program
will end it's execution
The new svchost process will begin to search the Windows folder for various files
that are usually backdoors:
winlog.exe, p2pnetworking.exe, scvhost.exe, winlogi.exe and p2pnetwork.exe
If it can't find any of those files, it will drop a new UPX packed backdoor in the Windows folder
called b.exe
After that it will try to spread by searching for the following P2P file sharing programs:
BearShare, Limewire, Morpheus, Shareaza
If it find any of those it will create a subfolder in the shared folder, with the name _ (underscore)
In that folder it will create a copy in order to fool other users in downloading and infecting
their machines
In order to avoid detection and to protect itself from deletion, it will open for exclusive access
the following programs: cmd.exe, ipconfig.exe, netstat.exe, ping.exe, tracert.exe,
regedit.exe, regedt32.exe, taskkill.exe and taskmgr.exe
By doing this it will stop you from launching a registry editor or task manager for example
When you try to open one of those progams it will show a message telling that the program is
in use.
[Clean]
It is best to restart the system in safe mode in order to prevent non-critical processes to run at startup
Delete the svchost.exe file from the startup folder
(usually this is: C:\Documents and Settings\All users\Start Menu\Programs\Startup)
Delete the b.exe file that is located in the Windows folder
Friday, March 13, 2009
Trojan.VB.AQT
(aka TR/VB.aqt )
[Description]
This trojan is designed to spread by creating copies in the removable drives.
When it is run, it check if there is a folder called Recycled in the root of the drive.
If the folder doesn't exists it will create it.
It will create a file called info2 and one called desktop.ini in the Recycled folder.
The desktop.ini file has the following contents:
In will create a subfolder with the name Recycled where it will put an own copy
with the name ctfmon.exe
It creates the file autorun.inf in the root drive with the following contents:
It reads the value of the registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders\Startup
which represents the path of the Startup folder of the current user.
It will copy there the ctfmon.exe file
[Clean]
Open Task Manager and terminate the ctfmon.exe process
Delete the ctfmon.exe file from the Startup folder
Delete the files:
(this should be done also for infected removable drives)
autorun.inf Recycled\destop.ini Recycled\info2 Recycled\Recycled\ctfmon.exe
[Description]
This trojan is designed to spread by creating copies in the removable drives.
When it is run, it check if there is a folder called Recycled in the root of the drive.
If the folder doesn't exists it will create it.
It will create a file called info2 and one called desktop.ini in the Recycled folder.
The desktop.ini file has the following contents:
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
In will create a subfolder with the name Recycled where it will put an own copy
with the name ctfmon.exe
It creates the file autorun.inf in the root drive with the following contents:
[autorun]
shellexecute=Recycled\Recycled\ctfmon.exe
shell\Open(&O)\command=Recycled\Recycled\ctfmon.exe
shell=Open(&0)
It reads the value of the registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders\Startup
which represents the path of the Startup folder of the current user.
It will copy there the ctfmon.exe file
[Clean]
Open Task Manager and terminate the ctfmon.exe process
Delete the ctfmon.exe file from the Startup folder
Delete the files:
(this should be done also for infected removable drives)
autorun.inf Recycled\destop.ini Recycled\info2 Recycled\Recycled\ctfmon.exe
Adware Spywad
( aka Adware/Spywad, Adware.Spywad, SpySheriff, Trojan.Renos, W32/Renos )
[Description]
When it is run it will copy itself in the C:\Windows directory under the name xpupdate.exe
It will add a key in:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows update loader so it can run at startup
It will check if the file MalwareAlarm from the C:\Program Files\MalwareAlarm directory exists
It will create a thread and it will search for dialog windows so it ca answer automatically to
Windows Firewall queries in order to get access to internet
It will download the MalwareAlarm program.
It will create the MalwareAlarm.lic file
It will change the background, it will remove icons, shortcuts and other items from the desktop
It will disable the options to modify the wallpaper, so the user interface will be like the one for Windows NT 4.0
It will show messages that the system is infected with spyware/adware
It will create/modify the following registry keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows update loader
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoAddingComponents
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoEditingComponents
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoDeletingComponents
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoComponents
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoHTMLWallPaper
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\Wallpaper
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\WallpaperStyle
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\TileWallpaper
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\WallpaperFileTime
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\WallpaperLocalFileTime
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ComponentsPositioned
[Clean]
Open Task Manager and end/terminate the xpupdate.exe process
Delete the C:\Windows\xpupdate.exe file
Delete the registry keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows update loader
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn
[Description]
When it is run it will copy itself in the C:\Windows directory under the name xpupdate.exe
It will add a key in:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows update loader so it can run at startup
It will check if the file MalwareAlarm from the C:\Program Files\MalwareAlarm directory exists
It will create a thread and it will search for dialog windows so it ca answer automatically to
Windows Firewall queries in order to get access to internet
It will download the MalwareAlarm program.
It will create the MalwareAlarm.lic file
It will change the background, it will remove icons, shortcuts and other items from the desktop
It will disable the options to modify the wallpaper, so the user interface will be like the one for Windows NT 4.0
It will show messages that the system is infected with spyware/adware
It will create/modify the following registry keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows update loader
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoAddingComponents
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoEditingComponents
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoDeletingComponents
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoComponents
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoHTMLWallPaper
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\Wallpaper
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\WallpaperStyle
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\TileWallpaper
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\WallpaperFileTime
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\WallpaperLocalFileTime
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ComponentsPositioned
[Clean]
Open Task Manager and end/terminate the xpupdate.exe process
Delete the C:\Windows\xpupdate.exe file
Delete the registry keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows update loader
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn
Trojan Winfixer
(aka Application/ErrorSafe, Trojan.Downloader.Winfixer.O, Win32/Winfixer )
[Description]
This is a program designed to trick the user that the computer has errors and in order to fix them he/she needs to buy it.
When it is first launched it shows a message to inform the you that it will download and install a program called ErrorSafe.
After the download is finished, the program is automatically installed and a system scan is made.
When the scan is finished a fake report will be shown with the result that the system has many critical errors.
If you click on the Repair button, you will be redirected to a website in order to purchase the full version of the program
The errors that are presented in the report do not exists and are shown only to convice you that you need to buy the program
After the program is installed, it will automatically set to run on every startup, by creating the following registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
UERScw - C:\Program Files\ErrorSafe Free\UERScw.exe
was_check - C:\Program Files\ErrorSafe Free\PASmon.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ErrorSafeFree - C:\Program Files\ErrorSafe Free\uers.exe
Also it will add the following CLSID's in the registry:
{25F43076-32B8-4828-A88C-8288EEE53396}
{3EB15ED2-15A6-4E1A-B84A-ACFAE64583E1}
{53D5C0AF-1B61-44A1-8739-31ABD4117D8D}
{6EF91405-4FCB-4633-BAB3-FA5B3DC40C3B}
{703BDF83-2C12-4d20-8BB0-106DDAB01B59}
{7300F6AF-78E6-4167-845A-6089879F1DB0}
{C5531D07-22C2-418B-85B9-D829AF1498B0}
{E0767047-9D25-4a3a-B905-852CDA087E86}
{E7296F98-6668-419c-AE1D-04ED641E7C3E}
{F585CB1F-F17D-4007-A573-B663197EF500}
[Clean]
In order to clean the program you can go to Control Panel->Add remove programs.
Then select ErrorSafe and click on the Remove button
After that is best if you open regedit and run a search for the CLSID's that were listed in the
description of this trojan. If you find any of those keys you can delete it
It is recommended that before you do any modification, you back up your registry or your system.
[Description]
This is a program designed to trick the user that the computer has errors and in order to fix them he/she needs to buy it.
When it is first launched it shows a message to inform the you that it will download and install a program called ErrorSafe.
After the download is finished, the program is automatically installed and a system scan is made.
When the scan is finished a fake report will be shown with the result that the system has many critical errors.
If you click on the Repair button, you will be redirected to a website in order to purchase the full version of the program
The errors that are presented in the report do not exists and are shown only to convice you that you need to buy the program
After the program is installed, it will automatically set to run on every startup, by creating the following registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
UERScw - C:\Program Files\ErrorSafe Free\UERScw.exe
was_check - C:\Program Files\ErrorSafe Free\PASmon.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ErrorSafeFree - C:\Program Files\ErrorSafe Free\uers.exe
Also it will add the following CLSID's in the registry:
{25F43076-32B8-4828-A88C-8288EEE53396}
{3EB15ED2-15A6-4E1A-B84A-ACFAE64583E1}
{53D5C0AF-1B61-44A1-8739-31ABD4117D8D}
{6EF91405-4FCB-4633-BAB3-FA5B3DC40C3B}
{703BDF83-2C12-4d20-8BB0-106DDAB01B59}
{7300F6AF-78E6-4167-845A-6089879F1DB0}
{C5531D07-22C2-418B-85B9-D829AF1498B0}
{E0767047-9D25-4a3a-B905-852CDA087E86}
{E7296F98-6668-419c-AE1D-04ED641E7C3E}
{F585CB1F-F17D-4007-A573-B663197EF500}
[Clean]
In order to clean the program you can go to Control Panel->Add remove programs.
Then select ErrorSafe and click on the Remove button
After that is best if you open regedit and run a search for the CLSID's that were listed in the
description of this trojan. If you find any of those keys you can delete it
It is recommended that before you do any modification, you back up your registry or your system.
Fake job offer from Aegis Capital Group LLC - phishing scam!
[Description]
This days have started with another phishing scam. It is about a fake job offer that appear to be from Aegis Capital Group.
In the fake mail, a position of an "Account manager" is offered (possibly other positions too).
The e-mail is similar to this one:
Subject: the reply for your request for a job place
Dear sirs,
Aegis Capital Group LLC ("Aegis") is a specialty investment firm managing private
equity and venture capital funds with a national focus on small businesses and the
social benefits of supporting entrepreneurs and enhancing local job creation. We
would like to stress, that our company pays special attention to customer support of
private customers, though we also have the corresponding business plans for the
bigger companies as well. A more detailed information about our company you may
obtain at our official website.
Due to the necessity for expansion of our company, we have announced some additional
openings for new employees. We are glad to offer you one of the vacant positions in
our company's team - a position of the "Account manager".
You will have the responsibility for the following duties: fulfillment of orders
given by the company, operations with the bank transfers(direct deposits and wires)
from customers, implementation of calculations regarding customer payments,
acceleration of the space needed for the delivery of payments to the regional
branches by provision of money transactions (customers' payments) via worldwide
Western Union instant transfer system, proces sion of correspondence by means of
mail forwarding and scanning.
The position offered is regarded to be a part-time job, so you will only need to
have about 1 free hour a day to be able to work with us. You will earn a net 10%
commission for every transaction you dealt with. All the traveling expenses and
transfer fee charges are covered by the customer.
You do not need any previous experience in finance sphere, because we will provide
you with the most detailed instructions, support and advice at each stage of the
responsibilities' implementation.
You may hope for the career growth within our company. Under certain circumstances
you will have a chance of providing your services to major companies and VIP
customers. In such a case, both your salary and your status in our company will
sustain an increase.
You may find more detailed info at our website by following hyperlink:
http://joboffer-705236799.acapsite.hk/?vacancy
Sincerely Yours,
HR Manager
------------------------------------------------------------------------------------------------
23ER: 0x25, 0x9, 0x807, 0x71, 0x1, 0x20, 0x94142014 define, include, 3NOG, 9R1X,
6EZV, 5MRH, serv, rev 0x540, 0x6686, 0x26104432, 0x8, 0x4 0x6254, 0x956, 0x352,
0x113 0x1, 0x3458, 0x9250, 0x7724, 0x1617, 0x7445, 0x4, 0x4, 0x115, 0x3173, 0x46,
0x5893 start: 0x48, 0x32126384, 0x672, 0x59893939, 0x993 0x49, 0x690, 0x29, 0x4,
0x282, 0x81690919, 0x71414262, 0x6466 rev: 0x8, 0x883 0x0, 0x92, 0x656, 0x41, 0x74
cvs: 0x04, 0x08, 0x5, 0x82200683 hex: 0x2, 0x1, 0x99, 0x963, 0x347, 0x95402052,
0x75830979, 0x103, 0x77, 0x052, 0x99099833, 0x79, 0x0 0x262, 0x42392905, 0x33731166,
0x7, 0x716 revision 0x7, 0x57, 0x7, 0x75167738, 0x19831344, 0x09433879, 0x0245, 0x52
N8X: 0x346, 0x38, 0x021 NGAT start EYWF update stack. engine: 0x1, 0x62, 0x3,
0x88537985, 0x2476, 0x51, 0x2490, 0x5582, 0x0 4OX: 0x7, 0x456, 0x358, 0x22 0x2, 0
x22, 0x600, 0x7600, 0x6934, 0x3564, 0x97856999, 0x9389, 0x134, 0x0489, 0x428
exe: 0x44525026, 0x550, 0x9, 0x70120259, 0x7041, 0x32861171, 0x2, 0x8, 0x630, 0x217,
0x4531, 0x7 0x3, 0x57201999, 0x24332371, 0x975, 0x1 0x0997, 0x48, 0x42, 0x36,
0x34711792, 0x6, 0x70293266, 0x45130159 define: 0x96, 0x790 dec.ABZ: 0x90819536,
0x6283, 0x70162084, 0x69498055 0x9, 0x4, 0x650, 0x998, 0x3529, 0x8, 0x83820593 0x0,
0x5, 0x84, 0x1, 0x82063113, 0x9769 LTB tmp close hex S8Y VEV define update DQD2
define: 0x34799739, 0x44, 0x1286, 0x59249852, 0x18, 0x21, 0x88298606, 0x814,
0x39825588
By following the link given in the offer we are presented "job vacancy" page
If we select to fill theonline form then we are presented with a "contract page"
where we must complete some fields were among other personal data there is one called
SSN (Social Security Number). More information on SSN can be found here
Also, besides the SSN, there are fields that request bank account no, type of account, account name, etc...
It is just one case among many others were the name of a known company is used in an identity theft scam.
Our advice is to ignore this type of e-mail and delete it from your INBOX.
This days have started with another phishing scam. It is about a fake job offer that appear to be from Aegis Capital Group.
In the fake mail, a position of an "Account manager" is offered (possibly other positions too).
The e-mail is similar to this one:
Subject: the reply for your request for a job place
Dear sirs,
Aegis Capital Group LLC ("Aegis") is a specialty investment firm managing private
equity and venture capital funds with a national focus on small businesses and the
social benefits of supporting entrepreneurs and enhancing local job creation. We
would like to stress, that our company pays special attention to customer support of
private customers, though we also have the corresponding business plans for the
bigger companies as well. A more detailed information about our company you may
obtain at our official website.
Due to the necessity for expansion of our company, we have announced some additional
openings for new employees. We are glad to offer you one of the vacant positions in
our company's team - a position of the "Account manager".
You will have the responsibility for the following duties: fulfillment of orders
given by the company, operations with the bank transfers(direct deposits and wires)
from customers, implementation of calculations regarding customer payments,
acceleration of the space needed for the delivery of payments to the regional
branches by provision of money transactions (customers' payments) via worldwide
Western Union instant transfer system, proces sion of correspondence by means of
mail forwarding and scanning.
The position offered is regarded to be a part-time job, so you will only need to
have about 1 free hour a day to be able to work with us. You will earn a net 10%
commission for every transaction you dealt with. All the traveling expenses and
transfer fee charges are covered by the customer.
You do not need any previous experience in finance sphere, because we will provide
you with the most detailed instructions, support and advice at each stage of the
responsibilities' implementation.
You may hope for the career growth within our company. Under certain circumstances
you will have a chance of providing your services to major companies and VIP
customers. In such a case, both your salary and your status in our company will
sustain an increase.
You may find more detailed info at our website by following hyperlink:
http://joboffer-705236799.acapsite.hk/?vacancy
Sincerely Yours,
HR Manager
------------------------------------------------------------------------------------------------
23ER: 0x25, 0x9, 0x807, 0x71, 0x1, 0x20, 0x94142014 define, include, 3NOG, 9R1X,
6EZV, 5MRH, serv, rev 0x540, 0x6686, 0x26104432, 0x8, 0x4 0x6254, 0x956, 0x352,
0x113 0x1, 0x3458, 0x9250, 0x7724, 0x1617, 0x7445, 0x4, 0x4, 0x115, 0x3173, 0x46,
0x5893 start: 0x48, 0x32126384, 0x672, 0x59893939, 0x993 0x49, 0x690, 0x29, 0x4,
0x282, 0x81690919, 0x71414262, 0x6466 rev: 0x8, 0x883 0x0, 0x92, 0x656, 0x41, 0x74
cvs: 0x04, 0x08, 0x5, 0x82200683 hex: 0x2, 0x1, 0x99, 0x963, 0x347, 0x95402052,
0x75830979, 0x103, 0x77, 0x052, 0x99099833, 0x79, 0x0 0x262, 0x42392905, 0x33731166,
0x7, 0x716 revision 0x7, 0x57, 0x7, 0x75167738, 0x19831344, 0x09433879, 0x0245, 0x52
N8X: 0x346, 0x38, 0x021 NGAT start EYWF update stack. engine: 0x1, 0x62, 0x3,
0x88537985, 0x2476, 0x51, 0x2490, 0x5582, 0x0 4OX: 0x7, 0x456, 0x358, 0x22 0x2, 0
x22, 0x600, 0x7600, 0x6934, 0x3564, 0x97856999, 0x9389, 0x134, 0x0489, 0x428
exe: 0x44525026, 0x550, 0x9, 0x70120259, 0x7041, 0x32861171, 0x2, 0x8, 0x630, 0x217,
0x4531, 0x7 0x3, 0x57201999, 0x24332371, 0x975, 0x1 0x0997, 0x48, 0x42, 0x36,
0x34711792, 0x6, 0x70293266, 0x45130159 define: 0x96, 0x790 dec.ABZ: 0x90819536,
0x6283, 0x70162084, 0x69498055 0x9, 0x4, 0x650, 0x998, 0x3529, 0x8, 0x83820593 0x0,
0x5, 0x84, 0x1, 0x82063113, 0x9769 LTB tmp close hex S8Y VEV define update DQD2
define: 0x34799739, 0x44, 0x1286, 0x59249852, 0x18, 0x21, 0x88298606, 0x814,
0x39825588
By following the link given in the offer we are presented "job vacancy" page
If we select to fill theonline form then we are presented with a "contract page"
where we must complete some fields were among other personal data there is one called
SSN (Social Security Number). More information on SSN can be found here
Also, besides the SSN, there are fields that request bank account no, type of account, account name, etc...
It is just one case among many others were the name of a known company is used in an identity theft scam.
Our advice is to ignore this type of e-mail and delete it from your INBOX.
Spylocked adware
(aka Adware.Spylocked, Adware.SpywareLock.A, Adware/Spylocked )
[Description]
This is an Adware program that is designed to show fake messages in order to trick the user in downloading certain programs
When it is executed the malware will create the following registry keys:
HKCR\CLSID\{b23dc537-3e13-44c7-bf67-d8405eb377f7}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{b23dc537-3e13-44c7-bf67-d8405eb377f7}
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert, DisplayName
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert, UninstallString
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, bedstead
In order to run at startup, the spylocked adware uses two registry keys:
The SharedTaskScheduler and ShellServiceObjectDelayLoad which is used to load the dll automatically by Explorer.exe
when the computer starts.
It drops a file named rcohty.dll to %WINDIR%\System32 folder.
When the dll is loaded by rundll32 it will do the following:
It verify the existance of the key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpywareLocked 3.5
If it is present then it will get the value of DisplayIcon and it will execute it.
If it's not present, the dll will show a flashing icon in the system tray and a fake warning message:
"System has detected a number of active spyware applications that may impact the performance of your computer.
Click the icon to get rid of unwanted spyware by downloading an up to date antispyware solution."
If a user click on the icon then a new internet explorer window appeares and a connection is made to:
http://www.spylocked.com
[Clean]
1. Terminate the rundll32.exe process
2. Delete the %WINDIR%\System32\rcohty.dll file
3. Open regedit and delete the following keys
HKEY_CLASSES_ROOT\CLSID\{b23dc537-3e13-44c7-bf67-d8405eb377f7}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{b23dc537-3e13-44c7-bf67-d8405eb377f7}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, bedstead
[Description]
This is an Adware program that is designed to show fake messages in order to trick the user in downloading certain programs
When it is executed the malware will create the following registry keys:
HKCR\CLSID\{b23dc537-3e13-44c7-bf67-d8405eb377f7}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{b23dc537-3e13-44c7-bf67-d8405eb377f7}
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert, DisplayName
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert, UninstallString
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, bedstead
In order to run at startup, the spylocked adware uses two registry keys:
The SharedTaskScheduler and ShellServiceObjectDelayLoad which is used to load the dll automatically by Explorer.exe
when the computer starts.
It drops a file named rcohty.dll to %WINDIR%\System32 folder.
When the dll is loaded by rundll32 it will do the following:
It verify the existance of the key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpywareLocked 3.5
If it is present then it will get the value of DisplayIcon and it will execute it.
If it's not present, the dll will show a flashing icon in the system tray and a fake warning message:
"System has detected a number of active spyware applications that may impact the performance of your computer.
Click the icon to get rid of unwanted spyware by downloading an up to date antispyware solution."
If a user click on the icon then a new internet explorer window appeares and a connection is made to:
http://www.spylocked.com
[Clean]
1. Terminate the rundll32.exe process
2. Delete the %WINDIR%\System32\rcohty.dll file
3. Open regedit and delete the following keys
HKEY_CLASSES_ROOT\CLSID\{b23dc537-3e13-44c7-bf67-d8405eb377f7}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{b23dc537-3e13-44c7-bf67-d8405eb377f7}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, bedstead
Unescape Script Trojans
( a short analysis of Trojan.Agent.AKT )
[Description]
This is a java script trojan. Basically it just open a connection to a webpage for adults.
Below I will present some technical details that are usually encountered in most javascript trojans.
The code of this trojan looks something like this: (only a part will be shown)
N.B.:
This code is usually added in adult web-sites and is set to be triggered by a certain action.
The unescape function replace all characters encoded with the %xx hexadecimal form by their ASCII character.
So, when that script is executed, the real code will be like this:
After that it is a call to this function. The parameter is actually a code that opens a specific window.
So, the dF function decrypts the %264Dtdsjqu%2631... to
http://egno{blocked}.com/questbook/in.cgi?...&HTTP_REFERER=file...NAME_OF_THE_FILE.html...
[Clean]
In order to clean the computer, you just need to delete the html file that is having this script in it.
[Description]
This is a java script trojan. Basically it just open a connection to a webpage for adults.
Below I will present some technical details that are usually encountered in most javascript trojans.
The code of this trojan looks something like this: (only a part will be shown)
< language="javascript">
document .write(unescape ('%3C%73%63%72%69...'));dF('%264Dtdsjqu%2631...')< /script >
N.B.:
This code is usually added in adult web-sites and is set to be triggered by a certain action.
The unescape function replace all characters encoded with the %xx hexadecimal form by their ASCII character.
So, when that script is executed, the real code will be like this:
< language="javascript">
function dF(s)
{
var s1= unescape (s.substr(0,s.length-1));
....
}
After that it is a call to this function. The parameter is actually a code that opens a specific window.
So, the dF function decrypts the %264Dtdsjqu%2631... to
http://egno{blocked}.com/questbook/in.cgi?...&HTTP_REFERER=file...NAME_OF_THE_FILE.html...
[Clean]
In order to clean the computer, you just need to delete the html file that is having this script in it.
Subscribe to:
Posts (Atom)