Nume:TR/Drop.Bomka.G.2
Descoperit pe data de:09/02/2006
Tip:Troian
Subtip:Dropper
ITW:Nu
Numar infectii raportate:Scazut
Potential de raspandire:Scazut
Potential de distrugere:Scazut spre mediu
Fisier static:Da
Marime:185.953 Bytes
MD5:141dd10Ecaaffae90828993c1f2aab70
Versiune VDF:6.33.00.212

 General Metoda de raspandire:
   • Nu are rutina proprie de raspandire


Alias:
   •  Mcafee: AdClicker-DW
   •  TrendMicro: TROJ_BOMKA.G
   •  Sophos: Troj/Bombka-F
   •  Panda: Trj/Dropper.QN
   •  Bitdefender: Trojan.Downloader.Bomka.G


Sistem de operare:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP


Efecte secundare:
   • Creeaza fisiere
   • Creeaza un fisier malware
   • Modificari in registri
   • Sustrage informatii

 Fisiere Sunt create fisierele:

– Un fisier temporar care poate fi sters dupa aceea:
   • %TEMPDIR%\ns%combinatie de caractere aleatoare%.tmp

– %SYSDIR%\kaboom.dll Analiza ulterioara a relevat ca si acest fisier este malware. Detectat ca: TR/Dldr.Bomka.G

– %TEMPDIR%\game1.exe Fisierul este executat dupa ce a fost creat.

 Registrii sistemului Inregistreaza un browser helper object (BHO) prin adaugarea urmatoarelor chei in registri:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
   Browser Helper Objects\{FAFC3FDD-D9E8-4770-843D-F105F0D7E409}]
– [HKCR\Horde.Labspak]
   • @="Labspak"

– [HKCR\Horde.Labspak\CLSID]
   • @="{FAFC3FDD-D9E8-4770-843D-F105F0D7E409}"

– [HKCR\Horde.Labspak\CurVer]
   • @="Horde.Labspak.1"

– [HKCR\Horde.Labspak.1]
   • @="Labspak"

– [HKCR\Horde.Labspak.1\CLSID]
   • @="{FAFC3FDD-D9E8-4770-843D-F105F0D7E409}"

– [HKCR\CLSID\{FAFC3FDD-D9E8-4770-843D-F105F0D7E409}]
   • @="Labspak"

– [HKCR\CLSID\{FAFC3FDD-D9E8-4770-843D-F105F0D7E409}\InprocServer32]
   • @="%SYSDIR%\kaboom.dll"
   • "ThreadingModel"="Apartment"

– [HKCR\CLSID\{FAFC3FDD-D9E8-4770-843D-F105F0D7E409}\ProgID]
   • @="Horde.Labspak.1"

– [HKCR\CLSID\{FAFC3FDD-D9E8-4770-843D-F105F0D7E409}\Programmable]
– [HKCR\CLSID\{FAFC3FDD-D9E8-4770-843D-F105F0D7E409}\TypeLib]
   • @="{90EC7761-4998-4536-B4D7-9EB72ADB3042}"

– [HKCR\CLSID\{FAFC3FDD-D9E8-4770-843D-F105F0D7E409}\
   VersionIndependentProgID]
   • @="Horde.Labspak"

– [HKCR\TypeLib\{90EC7761-4998-4536-B4D7-9EB72ADB3042}\3.0]
   • @="KABOOMLib"

– [HKCR\TypeLib\{90EC7761-4998-4536-B4D7-9EB72ADB3042}\3.0\0\win32]
   • @="%SYSDIR%\kaboom.dll"

– [HKCR\TypeLib\{90EC7761-4998-4536-B4D7-9EB72ADB3042}\3.0\FLAGS]
   • @="0"

– [HKCR\TypeLib\{90EC7761-4998-4536-B4D7-9EB72ADB3042}\3.0\HELPDIR]
   • @="%SYSDIR%\"



Urmatoarele chei sunt adaugate in registrii sistemului:

– [HKLM\SOFTWARE\Microsoft\Zeal]
   • "campaign_id"="18"
   • "is_dialup"=dword:%numar hexazecimal%
   • "user_id"="%sir de 6 caractere aleatoare%"
   • "sleep_delay"=dword:%numar hexazecimal%
   • "install_delay"=dword:%numar hexazecimal%
   • "main_delay"=dword:%numar hexazecimal%
   • "stage"=dword:%numar hexazecimal%
   • "timeout"=dword:%numar hexazecimal%

– [HKCR\Interface\{9F111438-8C25-4BEB-A9F6-841FD4728B22}]
   • @="ILabspak"

– [HKCR\Interface\{9F111438-8C25-4BEB-A9F6-841FD4728B22}\
   ProxyStubClsid]
   • @="{00020424-0000-0000-C000-000000000046}"

– [HKCR\Interface\{9F111438-8C25-4BEB-A9F6-841FD4728B22}\
   ProxyStubClsid32]
   • @="{00020424-0000-0000-C000-000000000046}"

– [HKCR\Interface\{9F111438-8C25-4BEB-A9F6-841FD4728B22}\TypeLib]
   • @="{90EC7761-4998-4536-B4D7-9EB72ADB3042}"
   • "Version"="3.0"

 Backdoor Servere contactate:
Unul dintre:
   • joywebserfer.com/counter11/**********
   • cleverhead.info/counter11/**********
   • wannabcool.info/counter11/**********
   • somethngcool.info/counter11/**********
   • sortbycool.info/counter11/**********
   • mucho-cool.com/counter11/**********
   • epromosystems.com/counter11/**********

Urmatorul:
   • mucho-cool.com/counter11/**********

Astfel se pot transmite informatii si se poate obtine control la distanta. Aceasta se face printr-o interogare HTTP GET intr-un script PHP.
Raspunsul serverului este scris in fisierul: %TEMPDIR%\s32o.%random number%


Trimte informatii despre:
    • Numele sistemului
    • Utilizatorul curent
    • Tipul conexiunii la Internet
    • ID-ul platformei


Posibilitati de control la distanta:
    • Vizitarea unui website

 Injectarea codului malware in alte procese –  Injecteaza fisierul urmator intr-un proces: kaboom.dll

    Numele procesului:
   • iexplore.exe


 Detaliile fisierului Limbaj de programare:
 Limbaj de programare folosit: C (compilat cu Microsoft Visual C++).


Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit urmatorul program de arhivare:
   • UPX

Die Beschreibung wurde erstellt von Daniel Constantin am Dienstag, 14. Februar 2006
Die Beschreibung wurde geändert von Daniel Constantin am Dienstag, 14. Februar 2006

zurück . . . .