Virus:TR/Dldr.Krepper.G.2
Date discovered:19/09/2005
Type:Trojan
Subtype:Downloader
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:26.624 Bytes
MD5 checksum:105b31a167a5d9751ac15c3032394513
VDF version:6.26.0.8

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: MultiDropper-IM
   •  Kaspersky: Trojan-Downloader.Win32.Krepper.g
   •  TrendMicro: TROJ_KREPPER.G
   •  Sophos: Troj/Krepper-G
   •  Grisoft: Downloader.Krepper.I
   •  VirusBuster: Trojan.DL.Krepper.H
   •  Bitdefender: Trojan.Downloader.Kreeper.G


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows 2000
   • Windows XP


Side effects:
   • Downloads malicious files
   • Registry modification

 Files It copies itself to the following location:
   • %WINDIR%\inetdata\services.exe



A section is added to a file.
– To: %WINDIR%\System.ini With the following contents:
   • load=%WINDIR%\inetdata\winlogon.exe




The following file is created:

%WINDIR%\inetdata\version.txt



It tries to download some files:

– The location is the following:
   • **********.com/gallerys/xpsystem/3.00.36.exe
It is saved on the local hard drive under: %WINDIR%\inetdata\winlogon.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Dldr.CWS.h.1.B


– The location is the following:
   • traff-**********.com/gallerys/xpsystem/3.00.09.dll
It is saved on the local hard drive under: %WINDIR%\inetdata\3.00.09.dll Further investigation pointed out that this file is malware, too. Detected as: TR/Dldr.Delf.BV.1

 Registry The following registry keys are continuously in an infinite loop added in order to run the processes after reboot.

–  HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   • "xp_system"="%WINDIR%\inetdata\services.exe"

–  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "xp_system"="%WINDIR%\inetdata\services.exe"



It registers a browser helper object (BHO) by adding the following key:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
   Browser Helper Objects\{5321E378-FFAD-4999-8C62-03CA8155F0B3}
   • @=""



The following registry keys are added:

– HKCU\Software\Microsoft\Internet Explorer\Main
   • "Enable Browser Extensions"="yes"

– HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
   • "run"="%WINDIR%\inetdata\services.exe"

– HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
   • "statexpsystem"=dword:00000000
   • "estatexpsystem"=dword:00000000
   • "state"=%random character string%

 Backdoor Contact server:
The following:
   • **********.com/gallerys/xpsystem/version.txt.php?

As a result remote control capability is provided. This is done via the HTTP GET request on a PHP script.
The servers answer is written to the file: %WINDIR%\inetdata\version.txt


Remote control capabilities:
    • Download file

 File details Programming language:
 The malware program was written in Delphi.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packers:
   • PE_Patch.PECompact
   • PecBundle
   • PECompact

Description inserted by Irina Boldea on Monday, September 19, 2005
Description updated by Irina Boldea on Tuesday, September 27, 2005

Back . . . .